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The present invention begins with the use of a privacy server, which maintains a watch 
list of privacy protection criteria. The client software may contain two customized sets of 
such criteria to be used in conjunction with the watch list, as follows: 

1 . A black list or blacklist (hereafter, "blacklist") containing privacy protection criteria 
to be used in conjunction with that included in the watch list. 

2. A trust list or trustlist (hereafter, "trustlist") containing exemptions to the privacy 
protection criteria included in the watch list. 

These optional lists, combined with the server watch list, create a composite list of 
privacy protection criteria, which is stored on the client. The composite list is created by 
subtracting exemptions on the trustlist from the watch list and adding the remaining 
criteria to the blacklist. 



ENfif y Relationship Diagram 



The following diagram displays a graphical representation of entities included in the 
invention of ActivePrivacy and the relationships between these entities. 
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FIGURE 1: ENTITY RELATIONSHIP DIAGRAM 

The above diagram ..^4gpk|$ the three main objects used by the invention of 
ActivePrivacy: the Watch List, the Personal Trustlist and the Personal. Blacklist. The 
Watch List is stored on the server and is distributed to the client via a subscription 
process. The Personal Trustlist and Personal Blacklist are maintained by the user on the 
client. Each of these three lists is made up of one or more uniform resource locator 
(URLs). 

1. The Watch List is essentially a managed security list, privacy protection criteria (to 
be distributed to the client), stored on the server that is distributed to the client 
software. 

2. The Client Software contains the user managed privacy data preferences and retrieves 
the managed Watch List from the server. 

The privacy data referenced above can take several forms, most commonly that of a web 
site, URL, or other cookie blocking or accepting criteria. 



<4 } 



Object Details 



As displayed in Figure 1, there are three basic objects combined in the invention of 
ActivePrivacy: the Watch List, the Personal Trustlist and the Personal Blacklist. Each 
list is made up of privacy protection criteria. This information may take the form of a list 
of web sites for which the local storage of cookies shall be rejected. The state 
management protocol of a cookie may store unique or identifying information about the 
user, the user's session or the users' Internet account. These lists are described in further 
detail below. 



The Watch List is a compilation of privacy protection criteria distributed to the client 
system from a central privacy server over a network. This may include Internet sites, 
which may use cookies to store unique or identifying information about the client 
software user. In the case of the ActivePrivacy software application, this list is 
maintained by Ascentive LLC and stored on an Internet accessible hypertext transfer 
protocol (HTTP) server. 




The Personal Trustlist is a list of exemptions to the privacy protection criteria, which may 
or may not be included in the Watch List. This second list may include Internet sites, 
which may use cookies to store unique or identifying information about the client 
software user. This list is customized and maintained by the client software user. It 
contains those Internet sites that the user trusts, and those sites are allowed to download 
their cookies to the user's client. 




The Personal Blacklist is a locally maintained list of privacy protection criteria to be 
merged with the Watch List. This third list may include those Internet sites that should 
be blocked from creating cookies to store unique or identifying information about the 
client software user. Like the Personal Trustlist, this list may also be customized and 
maintained by the client software user. It may contain those Internet sites that the user 
does not trust, and the cookies from those sites are removed from the user's client by the 
ActivePrivacy software application. 
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The Composite List is a combination of the three lists above. It starts with the privacy 
server maintained Watch List. Any privacy protection exemptions contained in the 
Personal Trustlist are removed from the Composite List. Next, any privacy protection 
criteria on the Personal Blacklist that are not already on the Composite List are added to 
the Composite List. The Composite List is then used as a master list of privacy 
protection criteria to be used to protect the client. 
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Database 



ActivePrivacy stores a Watch List on the server. This Watch List is simply a collection 
of privacy protection criteria. In one preferred embodiment of the present invention, 
diagrammed below, privacy protection takes the form of cookies that may be rejected by 
the client. 
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FIGURE 2: DATA STRUCTURE 
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Detailed Flow Diagram 



The following high-level functional flowchart demonstrates the process of comparing 
data elements distributed to the client to a locally created composite list of privacy 
protection criteria and determining which of those elements should be removed from the 
client. 
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FIGURE 3: DETAILED FLOW DIAGRAM 

The following is a detailed description of how the above process is carried out: 
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1. ActivePrivacy allows the user to maintain an optional Personal Trustlist. This 
optional Trustlist contains the exemptions the user would like to allow to the 
distributed Watch List. 

2. ActivePrivacy allows the user to maintain an optional Personal Blacklist. This 
optional Blacklist contains the privacy protection criteria the user would like to 
add to the Watch List. 

3. ActivePrivacy employs the QuickUpdate Algorithm to retrieve the most recent 
distributed Watch List from the server. The Watch List is maintained on the 
server and contains a predefined set of privacy protection criteria, which the user 
subscribes to. 

Note: The user may manually run a QuickUpdate to retrieve the most up-to-date 
privacy information available to the client at any time. This process can also be 
run automatically by the software application at regularly scheduled intervals. 

4. ActivePrivacy employs the Privacy Scanning Algorithm to determine those 
unwanted elements that should be removed from the client computer. 

5. ActivePrivacy removes unwanted data elements from the client computer. 

Note: The user may specify the time interval at which the Privacy Scan will 
regularly take place. In addition, the best mode of the Invention allows the user 
may manually run a Privacy Scan at any time to remove unwanted data elements 
from the client. This process can also be run automatically by the software 
application at regularly scheduled intervals . 
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ActivePrivacy employs two distinct algorithms. The QuickUpdate Algorithm is used to 
synchronize the client Watch List with that stored on the server. The Privacy Scanning 
Algorithm is used to implement the privacy protection criteria comprising the composite 
list. The algorithm detects unwanted cookies and scrubs them from the client system. 




The ActivePrivacy Watch List is stored on the server. The client subscribes to the server 
in order to receive the distributed Watch List. If authentication is being used, when the 
client connects to the server, authentication is performed in order to ensure that the client 
is registered to receive updates. If the client is properly registered, after authentication 
the updated Watch List is distributed to the client. If the client does not pass 
authentication, the update is not distributed. 

Note: The QuickUpdate Algorithm can be utilized with or without authentication. 



The Privacy Scanning Algorithm is employed to remove unwanted cookies from the 
client. In order to do this successfully, this algorithm makes use of the following 
components of the client software: 

• Watch List distributed from the server 

• Personal Trastlist 

• Personal Blacklist. 

The Privacy Scanning Algorithm compares the privacy protection data on the client to 
that on the Composite List compiled from the Watch List, Personal Trustlist and Personal 
Blacklist. The Privacy Scanning Algorithm detects cookies to be removed from the client 
as depicted in the following table: 



: Watch List 


;:- Personal Trustlist i 


- Personal Blacklist : 


Cookie Scrubbed? ; 


Yes 


No 


No 


Yes 


Yes 


Yes 


No 


No 


Yes 


No 


Yes 


Yes 


No 


Yes 


No 


No 


No 


No 


Yes 


Yes 
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User Interface 



The ActivePrivacy software application is designed to employ the Invention in its best 
mode. This application provides an interface, which allows users to personalize a 
Trustlist and Blacklist of cookies as shown below. 




FIGURE 4: USER INTERFACE 



When either "Add New" button is clicked, the user is prompted to enter an Internet 
domain. The interface pictured above allows users to customize these two lists of 
Internet domains. The user can move a domain from one list to the other, delete a 
domain from either list, or add a domain to either list. In addition, the application 
prevents an Internet domain from being placed on both the Personal Trustlist and 
Personal Blacklist. 



m 



The above figure displays an example of the user interface with the Personal Trustlist and 
Personal Blacklist populated. Using this example, the following domains will be trusted 
and ActivePrivacy will allow their cookies to be downloaded to the client: 
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• www.ascentivc.com 

• www.msn.com 

• www.dcll.com 

Also, based on this example, the following domains will not be allowed to download a 
cookie to the client: 

• www.ebav.com 

• www.ediets.com 

• www.microsoft.com 




In addition to the invention of using a combination of a Watch List, a Personal Trustlist 
and a Personal Blacklist to create a Composite List for detecting unwanted cookies on a 
client, the ActivePrivacy software application provides further functionality to the user. 
This functionality includes the following: 

• Ability for user to manually launch the privacy scan 

• Ability for user to manually retrieve the latest privacy Watch List from the server 

• Ability for user to customize Personal Trustlist 

• Ability for user to customize Personal Blacklist 

• Ability for user to view client cookies 

• Ability for user to select and manually delete cookies 

• Ability for user to enable/disable privacy scanning. 
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The present invention is capable of running on any hardware configuration that is used as 
part of today's technology. In order to retrieve the latest Watch List and update the 
Composite List used by the Invention, the client software must be able to connect to an 
HTTP server. 



Ascentive LLC has designed the ActivePrivacy software application to work with any 
computer operating system. However, in today's modem marketplace, Microsoft 
Windows in the most commonly used computer operating system. Therefore, although 
programming has not been completed for all operating systems, the application is 
currently available for use with the Microsoft Windows operating system in the following 
versions: Windows 95, Windows 98, Windows Me, Windows NT and Windows 2000. In 
order to subscribe to the distributed Watch List using ActivePrivacy's QuickUpdate 
functionality, the client software must have connectivity to the Internet. 
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The present invention is described in the context of a software application called 
ActivePrivacy which has been commercialized by Ascentive LLC, Philadelphia, 
Pennsylvania. However, the scope of the present invention is not limited to this 
particular implementation of the invention. 

The present invention may be implemented with any combination of hardware and 
software. If implemented as a computer-implemented apparatus, the present invention is 
implemented using means for performing all of the steps and functions described above. 

The present invention may be implemented with any combination of hardware 
and software. The present invention can be included in an article of manufacture 
(e.g., one or more computer program products) having, for instance, computer 
useable media. The media has embodied therein, for instance, computer readable 
program code means for providing and facilitating the mechanisms of the present 
invention. The article of manufacture can be included as part of a computer 
system or sold separately. 

It will be appreciated by those skilled in the art that changes could be made to the 
embodiments described above without departing from the broad inventive concept 
thereof It is understood, therefore, that this invention is not limited to the 
particular embodiments disclosed, but it is intended to cover modifications within 
the spirit and scope of the present invention. 
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METHOD AND APPARATUS FOR ENCRYPTED COMMUNICATIONS 
TO A SECURE SERVER 

BACKGROUND OF THE INVENTION 

5 

1. Field of the Invention 

The present invention relates generally to communication with a 
network, and in particular, relates to encrypted communication with a network via a 
n 10 secure server. 

. ~: 

B 

Mj 2, Background Information 

S 
m 

in Networks such as the Internet and World Wide Web (web) are 

Q is extremely popular to users as a source of information and entertainment. The web 

IP 

?y is used for communication between central sites (e.g., web sites) on the Internet and 

m 

II ■iindityi ^ ^wpr^iaiiiii^^lly 
" 3 control fhe ^Gommuni©ati0ns: a web browser that runs on the user^s computer and a 
web server that runs on the web site's computer. 
20 To obtain information from a web site, a web browser sends a request 

to a web server by transmitting a uniform resource locator (URL) address of the web 
site and by using a communication protocol such as Transmission Control 
Protocol/Internet Protocol (TCP/IP). In typical situations, such a request to the web 
server is in the form of a hypertext transfer protocol (HTTP) request that results in a 
25 transmission of hypertext markup language (HTML) documents (e.g., web pages) 
back to the web browser. 
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Many employers provide their employees with terminals, such as 
personal computers (PCs), which the employees can use to access the Internet to 
send/receive email and to "surf the Net" According to a common configuration, 
such PCs are connected together in a company's internal network, such as a local 
5 area network (LAN), and then connected via the company's proxy server to Internet 
servers. 

The proxy server often serves as part of the company's "firewall," 
where incoming and outgoing communications can be monitored by the company's 
information systems. In operation, employees are generally forced to connect to the 

10 Internet via this firewall. In other words, all communications (usually in the form of 
packets) are passed first through the proxy server, and then out to the destination 
web site. Similarly, content requested from the Internet, such as HTML pages, are 
first sent to the proxy server, and then forwarded to the employee's terminal for 
display by a web browser. 

15 Because of this standard network architecture, individual terminals 

(e.g., users or employees) are vulnerable to the monitoring of: a) content uploaded 

sends; b) content downloaded from a web site, such as HTML pages viewed on the 
web site or Internet email messages that the user receives and reads; and c) the 
20 Internet Protocol (IP) or URL addresses of servers to which the user sends/receives 
packets. 

There are similar privacy and security issues involved with network 
architectures other than the corporate network described above. For example, users 
accessing the Internet from terminals in their homes sometimes have their packets 
25 routed through an Internet Service Provider (ISP) and/or along a system having a 
ring or loop configuration, such as a cable modem system. In such situations, 
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hackers or other parties have the opportunity to monitor individual users' 

communication at the ISP or at other locations, and thus can obtain information that 

the users wish to keep confidential, such as URLs of visited web sites, IP addresses 

of servers used, content (e.g., HTML pages or email) sent/received by the user, etc. 

5 Additional mechanisms are implemented by Internet-based systems 

that further jeopardize the freedom of users to communicate privately and securely 

with the Internet. For instance, companies that control employees' Internet usage 

sometimes implement firewall blocking or filtering to prevent access to particular web 

sites. Also, visited web sites often record IP addresses of clients (e.g., users) and 

„ 10 collect other data to help identify clients during a profiling process. Further, web 

:i servers typically transmit "cookies" for storage in users' terminals. Cookies are 

M electronic files sent by the web server to the web browser to help identify the user 
(3 

W and to prepare customized web pages when the user returns to the web site. In 

m typical situations, web pages and histories of URLs accessed (e.g., a web browser 

0 15 history file) are stored at the user's terminals, thereby further compromising the 

3 

ry privacy of the user. 

li iliih^nt^^ private and secure .Goraiimi!iBis9ti.eJiis. 

£3 

over networks such as the Internet. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Non-limiting and non-exhaustive embodiments of the present invention 
will be described in the following figures, wherein like reference numerals refer to 
5 like parts throughout the various views unless otherwise specified. 



Figure 1 shows a system that can implement an embodiment of the 



invention. 



0 

Iff 
CO 
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Figure 2 is a flowchart showing an embodiment of a method for secure 
communication that can be implemented by the system of Figure 1 . 

Figure 3 shows an embodiment of a browser window that can be 
displayed using the secure communication method of Figure 2. 



Figure 4 shows a system that can implement another embodiment of 



the invention. 



in 



Figure 5 is a flow chart showing an embodiment of a method for secure 
communication that can be implemented by the system of Figure 4. 




0 
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DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS 

Embodiments of a method and apparatus for secure communication to 
a network, such as the Internet, via a secure server are described in detail herein. In 
5 the following description, numerous specific details are provided, such as a 
description of various system components in Figure 1, to provide a thorough 
understanding of embodiments of the invention. One skilled in the relevant art will 
recognize, however, that the invention can be practiced without one or more of the 
specific details, or with other methods, components, etc. In other instances, well- 
^ 10 known structures or operations are not shown or described in detail to avoid 
)i obscuring aspects of various embodiments of the invention, 

S.IF 

jjjjj Reference throughout this specification to "one embodiment" or "an 

W embodiment" means that a particular feature, structure, or characteristic described in 

in 

W connection with the embodiment is included in at least one embodiment of the present 
£3 15 invention. Thus, the appearances of the phrases "in one embodiment" or "in an 
ry embodiment" in various places throughout this specification are not necessarily all 
0 refenmmg^ to the mm embedinneiiit Furthewrie, the particular featuEes v stiictui^s, or 

characteristics may be combined in any suitable manner in one or more 

embodiments. 

20 Referring first to Figure 1, shown generally at 10 is a system that can 

implement an embodiment of the invention. The system 10 can include a network 
12, such as the Internet, but other types of communication networks may be utilized 
as well. For example, the network 12 can comprise a local area network (LAN), 
virtual local area network (VLAN), asynchronous transfer mode (ATM) network, or 

25 other network or portion of a network. 
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The system 10 includes one or more secure servers 14 
communicatively coupled to one or more terminals 16 via one or more secure links 
18. The server 14 can be coupled to other servers (not shown) in the network 12 
that run web server software. The servers in the network 12 can provide a plurality 
5 of web sites 17 and 19 having HTML, extensible markup language (XML), extensible 
style language (XSL), etc. web pages. Typically, the web sites 17 and 19 (or other 
components coupled to the network 12) are identifiable by a numeric IP address 
and/or by a URL address. 

The web pages of the web sites 17 and 19 can be provided to 
10 components {e.g., to servers or terminals) communicatively coupled to the network 
; j 12 using a protocol such as TCP/IP, HTTP, FTP, or other suitable protocol. In one 
S embodiment, the server 14 can securely provide web pages to the terminal 16, in a 

: ~i 

«^ 

y manner that will be described in further detail below. 

The server 14 can include one or more processor units 30 to perform 
15 the various methods, processes, and algorithms described herein, using a compiler, 
for example. The processor unit 30 can be communicatively coupled to one or more 
database units 32, in a manner such that information in the database unit 30 is 
accessible by the processor unit 30. The server 14 can also include a storage unit 
34 to provide the server 14 with additional storage capacity for storing software and 
20 other data. The server 14 may further include a communication unit 36 to provide 
communication hardware, software, protocols, and other features and functions for 
communication between the server 14 and the terminal 16 (or between the server 14 
and other components connected to the network 12). 

The storage unit 34 and database unit 30 can comprise machine- 
25 readable media. According to one embodiment, the storage unit 30 can store 
machine-readable instructions or software to perform the various functions described 



m 
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throughout this 'detailed description to provide secure communication with the 
terminal 16. The database unit 30 can store information specific to particular users 
or terminals 16, cookies, electronic files, and other such data related to one or more 
communication sessions between terminals 16 and the secure server 14. 
5 The terminals 16 can comprise personal computers (PCs) to access 

the server 14. The terminals 16 each have a display unit 20 that allows users to 
view information sent to and from the server 14, using a suitable commercially 
available web browser such as Microsoft's Internet Explorer™ or Netscape's 
Navigator™. The terminal 16 can include an input/output unit 22, such as a 
; ^ 10 keyboard and mouse. The terminal 16 may also include a processor 24, and a 
)i storage unit 26, which can be any type of machine-readable storage medium such 
J* 5 as read only memory (ROM), random access memory (RAM), compact disks (CDs), 
y digital versatile disks (DVDs), hard disk, magnetic tape, floppy disks, etc. The 
W storage unit 26 can store the web browser, and can also include caches to store 
P. is downloaded web pages and other information obtained during the course of 

m 

l'y communication with the network 12. 

i\\ 

k Altheugtoliie te rwmal 16 is described herein for illustrative purposes as 

a 

a PC, it is to be appreciated that other types of terminals may be used. These 
include laptops, enhanced functionality wireless devices, handheld devices, 

20 television sets, workstations (e.g., dumb terminals) connected to a network, and 
other such devices that can communicate with the network 12. Accordingly, 
embodiments of the invention are not limited by the specific type of terminal used. 

The terminal 16 can be a stand-alone unit, or it may be connected to 
other terminals 16 forming part of a corporate LAN, for example. A typical corporate 

25 LAN communicates with the network 12 via a proxy server 38, operated by an 
information systems 40. In many cases, the informations systems 40 and/or the 



7 



Attorney Docket: 004828.P001 

proxy server 38 operate a firewall system 42 to control and monitor network traffic 
sent to and from the network 12. 

According to an embodiment of the invention, communication between 
the terminal 16 and the network 12 is conducted on the secure link 18 that goes 
5 through the proxy server 38 and firewall system 42. In such an embodiment, the 
communication can pass freely through the proxy server 38 and firewall system in a 
secure and private manner, as will be described below. 

The secure link 18 can be and ISDN, T1, xDSL, SONET, Ethernet, or 
other type of high-speed link. The secure link 18 may also be a telephone modem 
f ^ 10 link. Twisted-pair, coaxial cable, fiber optic, or other types of physical links/lines may 
)i be used. Wireless links, such as radio frequency, satellite, microwave, optical, etc. 
|| may be used as well. Accordingly, embodiments of the invention are not limited by 
W the specific type of link used by the secure link 1 8. 

in Although a LAN-type configuration is shown in the embodiment of 

£3 15 Figure 1, it is understood that other embodiments of the invention may be 

In 

f y implemented in other ways. For example, in one embodiment, an ISP may take the 

q place of the proxy server 38, infoiroation systf rcs 40, and firewall system42, whom 

□ 

the terminal 16 is an individual unit located in the user's home. Other configurations, 
such as loop configurations, are possible for implementing embodiments of the 

20 invention, so long as the secure link 18 can be provided between the terminal 16 
and the secure server 14. 

Shown next in Figure 2 is a flowchart 46 depicting a method for secure 
communication that can be implemented by the system 10 of Figure 1. A 
communication typically begins at a block 48, when the user launches a web 

25 browser in the terminal 16. Once the web browser is launched, the user may 
connect to the secure server 14 by entering a URL address of the secure server 14. 



8 



Attorney Docket 004828JP001 

The address entered by the user may include the conventional http:// 
prefix, followed by the URL address (e.g., domain name) of the secure server 14 
(which may include the conventional "www" designation). In one embodiment, the 
user may enter the prefix https://, followed by the URL address of the secure server 
5 14, where https:// indicates a "hypertext transfer protocol secure" mode supported by 
software of the secure server 1 4. 

Once the user has entered the URL address of the secure server 14, 
the web browser initiates a communication with the secure server 14 (e.g., sends a 
request) at the block 50. It is noted that such a communication is typically 
?5 10 transmitted through the firewall system 42 and proxy server 38. In response to the 
\i web browser request, the secure server 14 establishes the secure link 18 to the 
^ terminal 16. 

ijJ According to an embodiment of the invention, the secure link 18 may 

in be established by the secure server 14 using secure server sockets layer (SSL) 

£3 15 protocols and procedures, in a manner known in the art. Once the secure link 18 is 

i ft 

| : y established, data may be exchanged between the secure server 14 and the terminal 
E 16 in an encjapted manner using RSA (with public and private Mmi © r other 
suitable encryption algorithms. 

The user may establish the secure link 18 with the secure server 14 
20 simply by entering https:// in one embodiment. In another embodiment, where the 
user enters http:// plus the URL address of the secure server 14, the secure link 18 
may be established, for example, by subsequently clicking an "Enter Secure Mode" 
button on a web page provided by the secure server 14 in response to the initial web 
browser request/communication. 
25 Upon establishment of the secure link 18, a secure browser window 

may be displayed (at a block 52) on the display unit 20 of the terminal 16. An 

9 
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example of such a secure browser window is shown at 66 in Figure 3. The secure 
browser window 66, in one embodiment, may be a new browser window launched 
on the terminal 16 by the secure server 14. In another embodiment, the secure 
browser window 66 may be a modified and secure version of the browser window 

5 which was previously launched at the block 48, and which is subsequently 
modified/secured by the secure server 14. 

The secure browser window 66 can include a conventional menu/tool 
bar 68, an address field 70 to enter URL addresses of destination web sites, and 
scrolling controls 72 and 74. Additionally, the secure browser window 66 may 

10 include an icon 76 to assist the user in visually recognizing that the secure link 18 
with the secure server 14 is active. 

A display region of the secure browser window 66 can display a 
plurality of banner advertisements 78, 80, and 82, each provided with hypertext 
link(s). In some instances, one or more of the banner advertisements 78, 80, or 82 

is can be located in other regions of the secure browser window 66, such as next to 
the address field 70, and not just in the display region (sometimes referred to as a 
"chrome"). Sp^..&iaj|g«!iig>,^^ l| . prnfjlingj of these banner advetfjsaPJjte 7»M2 
with respect to the user is described later below. The display region can also display 
content 84 from web pages of websites 17 and 19 subsequently requested by the 

20 user. The displayed content of 84 can include one or more hypertext links 86-88. 

It is noted at this point that because the secure link 18 is active, the 
proxy server 38 and/or information systems 40 cannot determine the content 
displayed by the secure browser window 66. While the proxy server 38 and/or 
information systems 40 may be able to detect that a communication is ongoing with 

25 the secure server 14 (e.g., by detecting the URL address of the secure server 14 
that generated the secure browser window 66), all other content exchanged between 

10 
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the terminal 16 and secure server 14 is unintelligible data. That is, because the data 
is encrypted and because the proxy server 38 and/or information systems 40 do not 
have decryption algorithm (e.g., the private key), data sent to and from the secure 
browser window 66 is an incoherent data stream to them. 
5 As an example at a block 54 in the flowchart 46 of Figure 2, the user 

may subsequently enter a URL address of a destination web site in the address field 
70. To send the URL address of the web site to the secure server 14 according to 
one embodiment, the web browser can first concatenate the URL address of the 
destination web site to the currently active URL address of the secure server 14 (by 
„ 10 separating them with a forward slash T), encrypting the portion of the concatenated 
S URL address that has the URL address of the destination web site, and then 
Jjj transmitting this data/request to the secure server 14. The information detected by 
U the proxy server 38 and/or information systems 40, if any, may thus be just the URL 
address of the secure server 14, followed by unintelligible encrypted data. In this 
i;3 15 manner, it appears to the proxy server 38 and/or information systems 40 that all 

n 

ry communication from the terminal 16 is directed to the secure server 14 and not to 
n other URL or IP addresses. The proxy server 38 and/or information systems 40 
" d cannot determine the activity at the secure server 14 directed towards transactions 
with the destination web site. 
20 Upon receipt of the request from the user's web browser, the software 

in the secure server 14 decrypts the request to obtain the URL address of the 
destination web site. The secure server 14 then connects to the destination web site 
to obtain the appropriate web page, while performing additional encryption or URL 
rewriting to hide or delete the IP address of the terminal 16 that originated the 
25 request As such, according to one embodiment, the destination web site cannot 
determine the IP address of the terminal 16 that originally requested the web page, 
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due to the fact that the IP address of the secure server 14 appears as the source 
address to the web site. Therefore, IP addresses of users and their identity are kept 
protected from visited web sites. 

When the requested web page is received from the destination web 
5 site by the secure server 14, software in the secure server 14 performs various 
manipulative processes on the web page at a block 56. For example, software of 
the server 14 can perform URL rewriting of hypertext links in the web page, such 
that URL addresses of these hypertext links are concatenated with, the URL address 
of the secure server 14, separated by a forward slash T. These modifications 
n 10 prevent any further contact between the terminal 1 6 and web sites corresponding to 
; j the hypertext links, except via the secure server 14, if these hypertext links are 
IB subsequently clicked by the user, as described later with respect to a block 60 in the 

y flowchart 56. 

Pi • 

IH The software of the secure server 14 may also make modifications to 

0 is the script and/or code of the web page, such as modifications to the HTML, 
jy JavaScript™ and Java™ code. This ensures that the user's web browser never 
n receives an instruction to contact a web site or server other than the secure server 
14. For example, with prior art methods, the user's web browser may receive a 
command to contact various other servers or web sites (e.g., third-party ad servers 
20 or web sites linked to the displayed web page via hypertext links), which results in 
the transmission of the IP address of the terminal 16 to these other servers or web 
sites. An embodiment of the invention rewrites such commands so that the user's 
web browser instead contacts the secure server 14, and asks it to retrieve the 
appropriate web page, file, etc., thereby protecting the IP address of the terminal 16 
25 from the other servers or web sites. 
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At the block 56, the software of the secure server 14 may also perform 
cookie control and management operations. For example, if users have specified 
that they do not wish to receive cookies or other electronic files, then the secure 
server 14 can block or filter cookies transmitted from the web site along with the web 
5 page. Furthermore, if the user has agreed to some or no limitation on cookie 
exchange, then the secure server 14 may control the type and quantity of cookies 
that are eventually passed to the terminal 16. Additional details of how the user can 
control cookies are described later below. 

After receiving the web page and performing the activities described 
^ 10 above, the secure server 14 encrypts the web page and sends it to the web browser 
of the terminal 16, via the secure link 18, for display on the secure browser window 
i| 66. According to one embodiment, all of the content of the page may be encrypted, 
W such that the proxy server 38 and/or information systems 40 only detects an 
il unintelligible data stream. As mentioned previously, the URL address and other 
C3 15 identifying information of the web page, including it's hypertext links, are 
fjj concatenated with the URL address of the secure server 14 and then encrypted, 
p such that it appears that the data is originating from the secure server 14. 

The encrypted information passes through the proxy server 38 and 
firewall system 42, and is received by the terminal 16. The information is decrypted 
20 and displayed on the secure browser window 66 at a block 58. Once displayed, the 
user can view the web page and continue surfing, and in effect, the user occupies a 
"private Internet." 

If the user clicks on a hypertext link on the displayed web page at the 
block 60, then the web browser is instructed to directly contact the secure server 14 
25 for the web page, since the URL address associated with the hypertext link was 
rewritten at the block 56. The URL address of the clicked hypertext link, which is 
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generally already concatenated with the URL address of the secure server 14 at this 
point, is encrypted and sent to the secure server 14 at the block 54. It is noted that if 
the URL address of the hypertext link is not concatenated already, if the user 
entered a new URL address in the address field 70, or if the user selected a URL 
5 address from a "Favorites" menu, such URL addresses are concatenated with the 
URL address of the secure server 14, encrypted, and then the entire concatenated 
address is transmitted to the secure server 14 via the secure link 18. 

If the user does not click a hypertext link at the block 60, then a 
determination is made at a block 62 whether the user is finished surfing/browsing. If 

„ 10 the user is not finished, then the user may continue surfing at the block 58, and the 

J process repeats as described above. 

5J If the user is finished surfing at the block 62, then cookies, browsing 

W file histories, cached web pages, and other such information are deleted from the 

m 

W storage unit 26 of the terminal 16. The deletion at the block 64 may be 

O is accomplished any number of ways. For instance, upon notification of the end of 

W 

ru transmission (e.g., at sign-off or log-out), the secure server 14 can transmit 
£3 instructions to the terminal 16 that triggers software stored in the terminal 16 to 
delete the cookies, file history, etc. In one embodiment, the user can download 
cookie deletion software from the secure server 14, and use the software to delete 
20 cookies at the end of a session. 

Deletion of cookies or cookie control can be accomplished in several 
ways. In one embodiment, the user may set preferences and transmit the 
preferences to the secure server 14. The preferences can specify what cookies can 
be allowed to be passed on to the terminal 16 by the secure server 14, while 
25 undesirable cookies are not passed on by the secure server 14. 
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In another embodiment, a digital identity can be established for the 
user and maintained at the secure server 14. Cookies for that user may then be 
stored in the database unit 32 under the digital identity, and cookies are never 
actually transferred to the terminal 16. 
5 It is noted that in the system 10 shown in Figure 1 and in other 

configurations, the proxy server 38 and/or information systems 40 may be able to 
detect the number and length of communications from the terminal 16 to the secure 
server 14, albeit not the content of such communications. As a result, the proxy 
server 38 and/or information systems 40 may be eventually programmed to "block" 
10 communication to and from the URL/IP address of the secure server 14. In other 
;= settings, it may be possible for organizations, ISPs, government bodies, etc. to 

^ restrict access to the secure server 14 by blocking packets having 

13 

W source/destination addresses identifiable to the secure server 14. Accordingly, an 

W embodiment of a system 90 is shown in Figure 4 that provides the terminal 16 with 
0 is multiple access points to the secure server 14, thereby bypassing blocking 

jlj mechanisms. 

g The system 90 includes one or more spoofing units 92 

5 5" 

communicatively coupleable to the terminal 1 6. The spoofing unit 92 can comprise a 
server, a web site, a web page, or any other network component that has a static IP 

20 or URL address. The spoofing unit 92 can include/operate software to establish a 
secure connection 94 with the terminal 16 and a connection 96 (which can be 
secure) with the secure server 14, and can include software to pass browser 
requests from the terminal 16 to the secure server 14 via the connections 94-96. 

Such software may be distributed to operators of the spoofing unit 92 

25 by owners of the secure server 14 free of charge (e.g., for example, if the operator of 
the spoofing unit is an advocate of "privacy" or "free speech") or based on various 
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business incentives (e.g., installation of the software in exchange for banner 
advertisement space on the secure browser window 66). 

Figure 5 shows a flowchart 98 depicting an embodiment of a method 
for secure communication that can be implemented by the system 90. In operation, 
the terminal 16 may indirectly access the secure server 14 when the user launches a 
web browser at a block 100 and enters https:// followed by the domain name (or 
URL) address of the spoofing unit 92. This results in a secure connection to the 
spoofing unit 92 T at a block 102, using a suitable protocol, such as TCP/IP. The 
TCP/IP protocol can include "handshaking" processes where SYN and ACK 
information is exchanged between the terminal 16 and the spoofing unit 92. 
Entering the https:// prefix allows the user to enter into a secure mode by 
establishing the secure connection 94, thereby allowing the user to subsequently 
enter and transmit to the spoofing unit 92, a URL address of a destination web site 
at a block 104. 

in one embodiment, the user may enter the URL address of the 
destination web site after a string comprising the https:// prefix and URL address of 
the spoofing unit 92. The URL address of the destination web site is subsequently 
concatenated with the previously entered (or automatically entered) string, and the 
portion of the resulting concatenated URL address having the URL address of 
destination web site is encrypted, in a manner similar to that described above with 
respect to Figures 1-2. In another embodiment, the URL address of the spoofing 
unit may also be concatenated with the string and then encrypted. This way, the 
proxy server 38 and/or information systems 40 detects only the URL or IP address of 
the spoofing unit 92, if anything, and not the address of the destination web site or of 
the secure server 14. 
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Upon receipt of the web browser request, software in the spoofing unit 
92 recognizes the request has being destined to the secure server 14. This may be 
done by decrypting the encrypted addresses and then reading the URL address of 
the secure server 14, or by other methods to detect that the request has to be 
5 forwarded to the secure server 14. The spoofing unit 92 forwards the request to the 
secure server 14 via the connection 96 at a block 106. It is noted that the spoofing 
unit 92 can also forward the SYN/ACK information or other data to assist the secure 
server 14 in maintaining and synchronizing subsequent communication with the 
terminal 16. At a block 108, the secure server 14 receives the request from the 
io spoofing unit 92 and processes the SYN/ACK information to keep track and 
synchronize the order of packets. A person skilled in the art will know how to 
implement the SYN/ACK process based on the description provided herein. 

After the secure server 14 receives the request and SYN/ACK 
information from the spoofing unit 92, it decrypts the data to obtain the URL address 
is of the destination web site and obtains the requested web page therefrom at a block 
110. Similar to the block 56 in the flowchart 46 of Figure 2, the secure server 14 at 
the block 110 can perform URL rewriting. This may include rewriting the URL 
address of the requested web page (e.g., "spoofing" its URL address) and its 
hypertext links to indicate the spoofing unit 92 as the source. Modification of script 
20 and code (e.g. Java™ and JavaScript™) of the web page, may also be performed to 
ensure that all subsequent requests by the web browser at the terminal 16 are sent 
to the spoofing unit 92 (and from there, subsequently sent to the secure server 14). 

As with the block 56 of Figure 2, the secure server 14 may perform 
cookie control and other electronic file management at the block 110. After the 
25 processes described above are performed on the web page, the web page is 
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encrypted and directly sent for display to the terminal 16, via the secure link 18, at a 
block 112. 

Since the return IP or URL address of all packets sent from the secure 
server 14 to the terminal 16 are "spoofed" so that they appear to come from the 
5 spoofing unit 92, it is virtually impossible for the proxy server 38 and/or information 
systems 40 to determine that the packets came from the secure server 14 (and from 
addresses other then the address of the spoofing unit 92). This can prove 
particularly useful if the user is viewing web pages of a controversial or controlled 
nature. The configuration of the system 90 of Figure 4 makes it appear to the proxy 
10 server 38 and/or information system 40 that the encrypted content viewed by the 
user, whatever it may be, is originating from an innocuous web site at the spoofing 
unit 92. 

W At a block 1 14 in Figure 5, the user may click on a hypertext link on the 

displayed web page or enter a URL address of another web site {e.g., continue to 
is "surf"), thereby resulting in transmission of encrypted web browser requests to the 
spoofing unit 92, in a manner described above with respect to blocks 104-112. As 
before, web browser requests are sent to the spoofing unit 92 via the secure 
connection 94 (and forwarded to the secure server 14 via the connection 96), while 
retrieved web pages are sent directly to the terminal 16 from the secure server 14, 
20 without having to go through the spoofing unit 92. This is particularly advantageous 
because the bandwidth capacity of the spoofing unit 92 is not overwhelmed. That is, 
web browser requests take up significantly less bandwidth than web page content 
produced in response to such request. Hence, the spoofing unit 92 can easily 
accommodate multiple web browser requests, while the secure server 14 has the 
25 larger bandwidth to handle the content, via the secure link 1 8. 
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If the user stops surfing at the block 114, then at log-out, cookies, file 
histories, cached web pages, etc. are deleted at a block 116. This may be done in a 
manner similar to the block 64 of Figure 2. 

As mentioned, there may be more than one spoofing unit 92. Hence, If 

5 access to any one of the spoofing units 92 is blocked, access to the secure server 
14 may be obtained from other spoofing units. According to one embodiment, users 
may be provided with hardcopy or online URL directories of spoofing units, such that 
they can identify and connect to any of these participating units. In another 
embodiment, the secure server 14 can perform hand-off and redirection of the user's 

10 web browser to different spoofing units, such that the user's web browser can 
"dynamically" connect or reconnect to different spoofing units, as directed by the 
secure server 14. The secure server 14 may also automatically and dynamically 
provide the user's web browser with URL addresses of spoofing units (e.g., during a 
transmission of an encrypted web page), such that the user's web browser can 

15 automatically connect to such URL addresses for the next transaction(s). 

Various features and business models may be implemented by the 
embodiments described above and shown in the figures, to manage and customize 
a user's privacy. According to one embodiment, a user's privacy can be provided by 
the secure server 14 in exchange for placement of user-specific or general banner 

20 advertisements 78-82 on the secure server window 66 of Figure 3. In such a case, 
user identity, user IP addresses, and user IP addresses, and user content (e.g., 
content delivered or accessed) may be kept private in exchange for placement of 
banner advertisements. 

In another embodiment, components that are less important to users 

25 and most important to advertisers, web sites, or employers can be sold by the 
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organization operating the secure server 14, with the user's permission. These 
components include: 

time spent online, bandwidth used (e.g., provided to employers); 

web surfing patterns of the user and correlations (e.g., provided to 

advertisers, web sites, and vendors); or 

personal preferences and interest of the user (e.g., provided to 
advertisers, web sites, and vendors). 

An example includes cookie control. Based on the preferences and 
instructions of the user, the user may control the type and quantity of cookies 
delivered to or filtered from the user's web browser by the secure server 14. In one 
embodiment, the user may be able to designate cookies for storage under a 
pseudonym, directly on the secure server 14, thereby adding another layer of 
privacy. Because cookies are often used to build profiles of the user (by web sites 
or advertisers), controlling cookie exchange with destination web sites allows the 
user to manage the amount of privacy provided by the secure server 14. 

According to one embodiment, a user may allow operators of the 
seeiiire^rMeM^ 

user, and then sell such information to advertisers, in exchange for protecting the 
user's privacy at all times. In this embodiment, such information may be sold to the 
advertisers with the permission of the user, and includes information that the user is 
generally not sensitive about. 

In conclusion then, embodiments of the invention provide a secure 
server 14. Users at terminals 16 can obtain information from web sites in the 
network 12 through the secure link 18, in encrypted form, thereby protecting their 
privacy and security. Such information appears as if it comes from the secure server 
14 rather than specific web sites. Spoofing units 92 may be used as alternative 
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access points to the secure server 14, with the secure server 14 sending requested 
information directly to the terminal 16. In general, URL rewriting and other 
manipulation can be performed such that the true source of the information is 
disguised and such that subsequent communication from the terminal 16 is directed 
to the secure server 14 and/or spoofing unit 92, rather than to the true source of the 
information (e.g., the web site). Components of the user's privacy may be sold as 
specified by the user, and advertisements may be displayed in exchange for 
protection of the user's identity. 

The above description of illustrated embodiments of the invention is 
not intended to be exhaustive or to limit the invention to the precise forms disclosed. 
While specific embodiments of, and examples for, the invention are described herein 
for illustrative purposes, various equivalent modifications are possible within the 
scope of the invention, as those skilled in the relevant art will recognize. 

These modifications can be made to the invention in light of the above 
detailed description. The terms used in the following claims should not be construed 
to limit the invention to the specific embodiments disclosed in the specification and 

following claims, which are to be construed in accordance with established doctrines 
of claim interpretation. 
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CLAIMS 

What is claimed is: 

1 1. A method, comprising: 

2 responsive to a request, retrieving a web page designated in the request; 

3 modifying an address associated with the retrieved web page to indicate an 

4 address associated with a secure server that retrieved the web page; and 

5 encrypting data associated with the retrieved web page and sending, via a 
„_ 6 secure link, the encrypted data to a terminal that sent the request. 

Vd i 2. The method of claim 1 wherein the secure link comprises a secure sockets 

!,J 2 layer (SSL) link. 

: si 

\M 

0 i 3. The method of claim 1 wherein modifying the address associated with the 

?y 2 retrieved web page comprises modifying a Uniform Resource Locator (URL) or 

n 3 Internet Protocol (IP) address of a source web site that originated the web page. 

1 4. The method of claim 1 wherein modifying the address associated with the 

2 retrieved web page comprises modifying an address associated with a hypertext link 

3 in the retrieved web page to indicate the address associated with the secure server. 

1 5. The method of claim 1, further comprising modifying computer code 

2 associated with the retrieved web page to cause subsequent requests related to the 

3 retrieved web page to be sent to the secure server instead of to a source web site 

4 that originated the web page. 
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1 6. The method of claim 1 , further comprising decrypting the address associated 

2 with the web page from an address received along with the request from the 

3 terminal, the address received along with the request from the terminal comprising a 
. 4 concatenation of the address associated with the web page and the address 

5 associated with the secure server. 

1 7. The method of claim 1 , further comprising repeating the retrieving, modifying, 

2 encrypting, and sending while the secure link is active. 

:::r 

)i i 8. The method of claim 1, further comprising triggering a deletion of stored 

^ 2 electronic files at the terminal related to a communication via the secure link, in 

as 

W 3 response to termination of the communication. 

if\ 

l EX 

*■ ; : 

p i 9. The method of claim 1 , further comprising, at the secure server, controlling 

ry 2 transmission of electronic files to the terminal based on preferences received from 

h 3 the terminal. 
5 

1 1 0. The method of claim 1 , further comprising: 

2 providing an intermediate unit to receive the request from the terminal; 

3 at the secure server, receiving the request, forwarded from the intermediate 

4 unit; 

5 retrieving the web page designated in the request from a source; 

6 modifying address information in the retrieved web page to indicate a source 

7 address corresponding to an address of the intermediate unit rather than to an 

8 address of the source that provided the web page; and 
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9 directly sending an encrypted version of the retrieved web page from the 

10 secure sever to the terminal, via the secure link. 

1 11. The method of claim 10, further comprising receiving, at the secure server, 

2 communication protocol information related to a communication between the 

3 terminal and the intermediate unit, to allow the secure server to respond to requests 

4 sent to the intermediate unit from the terminal. 

1 12. The method of claim 10, further comprising receiving subsequent requests 
„ 2 from the terminal at the intermediate unit rather than directly at the secure server 
[ j 3 from the terminal. 

V 3- 
?S 
-» 

W 

W i 13. The method of claim 1, further comprising storing under a pseudonym at a 

W 2 location communicatively coupled to the secure server, electronic files sent from a 

a 3 web site along with the web page. 

i f= 

iU 

n l 14. IheipatlntdkoMaiii 1, further Gomprisioig: 

2 obtaining information related to a user's communication with the secure 

3 server; 

4 providing the obtained information to an entity based on permission of the 

5 user and in exchange for providing the secure link; and 

6 providing advertisements from the entity to the user related to the obtained 

7 information. 

1 1 5. The method of claim 1 , further comprising: 

2 providing a viewing window at the terminal; 
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3 displaying the retrieved web page at the viewing window; and 

4 providing an interface for subsequent communication with the secure server 

5 from the viewing window. 

1 16. A method, comprising: 

2 providing an intermediate unit to receive a request for a web page from a 

3 terminal; 

4 . at a secure server, receiving the request, forwarded from the intermediate 

5 unit; 

6 retrieving the web page designated in the request from a source; 

7 modifying address information in the retrieved web page to indicate a source 

8 address corresponding to an address associated with the intermediate unit rather 

9 than to an address associated with a source that provided the web page; and 

10 directly sending an encrypted version of the retrieved web page from the 



1 1 secure server to the terminal, via a secure link. 

1 17. The method of eJato 16, fuctder comprising receiving, at the secure server, 

2 communication protocol information related to a communication between the 

3 terminal and the intermediate unit, to allow the secure server to respond to requests 

4 sent to the intermediate unit from the terminal. 

1 18. The method of claim 16 further comprising receiving subsequent requests 

2 from the terminal at the intermediate unit rather than directly at the secure server 

3 from the terminal, 

i 1 9. The method of claim 1 6, further comprising: 
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2 receiving from the intermediate unit and at the secure server, encrypted 

3 address information associated with the web page, concatenated with the address 

4 associated with the intermediate unit; 

5 decrypting the encrypted address information and retrieving a web page 

6 corresponding thereto; and 

7 re-encrypting the address associated with the retrieved web page and 

8 concatenating the re-encrypted address with the address associated with the 

9 intermediate unit. 

1 20. A machine-readable medium having stored thereon instructions, which when 

Is? 

2 executed by a processor, cause the processor to effect the following: 

3 responsive to a request, retrieve a web page designated in the request; 

4 modify an address associated with the retrieved web page to indicate an 
W 5 address associated with a secure server that retrieved the web page; and 

q 6 encrypt data associated with the retrieved web page and send, via a secure 

\n 

ry 7 link, the encrypted data to a terminal that sent the request. 

cn 

n 

1 21 . The machine-readable«editim of cla»20 wherein the instructions cause the 

2 processor to effect the following: 

3 send the encrypted data via the secure link by sending the encrypted data via 

4 a secure dockets layer (SSL) link. 

1 22. The machine-readable medium of claim 20 wherein the instructions cause the 

2 processor to effect the following: 
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3 modify the address associated with the retrieved web page by modifying a 

4 Uniform Resource Locator (URL) or Internet Protocol (IP) address of a source web 

5 site that originated the web page. 

1 23. The machine-readable medium of claim 20 wherein the instructions cause the 

2 processor to effect the following: 

3 receive the request from the terminal forwarded from an intermediate unit; 

4 retrieve the web page designated in the request from a source; 

5 modify address information in the retrieved web page to indicate a source 

6 address corresponding to an address associated with the intermediate unit rather 
:<3 7 than to an address associated with the source that provided the web page; and 

*? 8 directly send an encrypted version of the retrieved web page from the secure 

□ 

W 9 server to the terminal, via the source link. 

m 
in 

C3 l 24. A machine-readable medium having stored thereon instructions, which when 

f jj 2 executed by a processor cause the processor to effect the following: 

q 3 receivea^ 

n 

4 forward the request from the terminal to a secure server to allow the secure 

5 server to retrieve the web page designated in the request from a source and to allow 

6 the secure server to directly send an encrypted version of the retrieved web page 

7 from the secure server to the terminal, via a secure link. 

1 25. The machine-readable medium of claim 24 wherein the instructions further 

2 cause the processor to effect the following: 
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send to the secure server communication protocol information related to a 
communication with the terminal, to allow the secure server to respond to requests 
sent from the terminal. 

26. The machine-readable medium of claim 24 wherein the instructions further 
cause the processor to effect the following: 

receive subsequent requests from directly the terminal rather than directly at 
the secure server. 

27. The machine-readable medium of claim 24 wherein the instructions further 
cause the processor to effect the following: 

receive an encrypted address concatenated with other address information 
via a secure connection; 

decrypt the encrypted address and retrieve an address associated with the 
secure server or the address associated with the web page therefrom; and 

send the request to the decrypted address. 

28. An apparatus, comprising: 

a processor coupled to a storage unit, the storage unit being capable of 

storing a computer program; and 

a communication unit to allow the processor to communicate with a terminal 
and with a web site, wherein responsive to a request from the terminal, the 
processor is capable of effecting execution of the computer program to retrieve a 
requested web page from the web site via the communication unit, to modify an 
address of the retrieved web page to a different address, to encrypt data associated 
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9 with the retrieved web page, and to send the encrypted data to the terminal via a 

10 secure link communicatively coupleable to the communication unit. 

1 29. The apparatus of claim 28 wherein the secure link comprises a secure 

2 sockets layer (SSL) link. 

1 30. The apparatus of claim 28, further comprising a database unit 

2 communicatively coupled to the processor to store electronic files under a 

3 pseudonym, the electronic files corresponding to data sent from the web site along 
f =. 4 with the retrieved web page. 

r.sf 

1 1 

2 i 31. An apparatus, comprising: 

W 2 a server communicatively coupleable to a network and to a terminal, the 

^ 3 server being capable of sending data from the network to the terminal in an 

O 4 encrypted form via a secure link, in response to a request received from the 

f tj 5 terminal, wherein the data sent to the terminal indicates the server as a source of the 

O 6 data, 
l 

1 32. The apparatus of claim 31 wherein the secure link comprises a secure 

2 sockets layer (SSL) link. 
1 

1 33. The apparatus of claim 31 wherein the server is communicatively coupleable 

2 to an intermediate unit, the server being capable of receiving the request from the 

3 terminal via the intermediate unit and sending the data responsive to the request 

4 directly to the terminal via the secure link, 
l 
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1 34. A system, comprising: 

2 a server communicatively coupieable to a network and to a terminal, the 

3 server being capable of sending data from the network to the terminal in an 

4 encrypted form via a secure link, in response to a request received from the 

5 terminal, wherein the data sent to the terminal indicates the server as a source of the 

6 data; and 

7 an intermediate unit communicatively coupieable to the server, the server 

8 being capable of receiving the request from the terminal via the intermediate unit 

9 and sending the data responsive to the request directly to the terminal via the secure 
P 10 link. 

S l 35. The system of claim 34 wherein the secure link comprises a secure sockets 

Sis* 

W 2 layer (SSL) link. 

VI 1 

Q l 36. The system of claim 34 wherein the intermediate unit is capable of receiving 

rU 2 subsequent requests from the terminal and sending the request to the server, the 

Q 3 ^SFWi% w ^p[ll& # feeeiviRg^the ^requests fem the jrrtii^^g unit and 

4 sending data responsive to the request directly to the terminal, the data sent to the 

5 terminal indicating a source address corresponding to the intermediate unit rather 

6 than an address corresponding to the server. 
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METHOD AND APPARATUS FOR ENCRYPTED COMMUNICATIONS 
TO A SECURE SERVER 

5 ABSTRACT OF THE DISCLOSURE 

An embodiment of the invention includes a secure server. A user at a 
terminal, communicatively coupled to the secure server by a secure link, can obtain 

10 web pages from web sites in a network, in encrypted form, via the secure link. 

^ Addresses associated with the web pages are altered to make it appear as if the 

;s web pages come from the secure server rather than from the web sites. Spoofing 

|| units may be used as alternative access points to the secure server, with the secure 

W server sending the requested web pages directly to the terminal. In general, 

in 15 address rewriting and other manipulation can be performed on the requested web 

C3 pages, such that the true sources of the web pages are disguised and such that 

|U subsequent communications from the terminal are directed to the secure server 

n and/01^ s pa^fi mgtiU m it> rather Unaiiivte the true source of the web pages. Components 

Sj " of the user's privacy may be sold, or advertisements may be provided, in exchange 

20 for protection of the user's identity. 

/004828/P001/FuguNet-P001-AP/v2 
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Description 



CROSS-REFE RENCE TO RELATED APPLICATION 

rOOOll This application is a continuation-in-part of U.S. application Ser. No. 09/580.365. entitled 
^METHOD AND APPARATUS FOR ENCRYPTED COMMUNICATIONS TO A SECURE 
SERVER ." filed M ay 26. 20 00. assigned to the same assignee as the present application, and 
incorporated herein bv reference in its entirety. 
BACKGROUND OF THE INVENTION 

Fi e ld of the Inv e ntion 
TECHNICAL FIELD 

The pres e nt inventio n pQOOZ] : TfesAscloswe relates generally to communication with a network, 
and in particula r but not exclusively , relates to encrypted communication with a network via a 
secure server. 

Background Information 
BACKGROUND 

[0003] N etworks such as the Internet and World Wide Web (web) are extremely popular to users 
as a source of information and entertainment. The web is used for communication between 
central sites (e.g., web sites) on the Internet and individual users who wish to communicate with 
the site. Two programs typically control the communications: a web browser that runs on the 
user-'s computer and a web server that runs on the web site^'s computer. 

rQ0Q4] To obtain information from a web site, a web browser sends a request to a web server by 
transmitting a uniform resource locator (URL) address of the web site and by using a 
communication protocol such as Transmission Control Protocol/Internet Protocol (TCP/IP). In 



typical situations, such a request to the web server is in the form of a hypertext transfer protocol 
(HTTP) request that results in a transmission of hypertext markup language (HTML) documents 
(e.g., web pages) back to the web browser. 

[OOPS! Many employers provide their employees with terminals, such as personal computers 
(PCs), which the employees can use to access the Internet to send/receive email and to -"surf the 
Net.-" According to a common configuration, such PCs are connected together in a company-Is 
internal network, such as a local area network (LAN), and then connected via the company 1 ^ 
proxy server to Internet servers. 

[00061 The proxy server often serves as part of the company-'s -"firewall,-!! where incoming and 
outgoing communications can be monitored by the company 1 ^ information systems. In 
operation, employees are generally forced to connect to the Internet via this firewall. In other 
words, all communications (usually in the form of packets) are passed first through the proxy 
server, and then out to the destination web site. Similarly, content requested from the Internet, 
such as HTML pages, are first sent to the proxy server, and then forwarded to the employee 1 ^ 
terminal for display by a web browser. 

r0007] Because of this standard network architecture, individual terminals (e.g., users or 
employees) are vulnerable to the monitoring of: a) content uploaded by the user to a web site, 
such as Internet email messages that the user writes and sends; b) content downloaded from a 
web site, such as HTML pages viewed on the web site or Internet email messages that the user 
receives and reads; and c) the Internet Protocol (IP) or URL addresses of servers to which the 
user sends/receives packets. 

r00081 T here are similar privacy and security issues involved with network architectures other 
than the corporate network described above. For example, users accessing the Internet from 
terminals in their homes sometimes have their packets routed through an Internet Service 
Provider (ISP) and/or along a system having a ring or loop configuration, such as a cable modem 
system. In such situations, hackers or other parties have the opportunity to monitor individual 
us e r's Mgm! communication at the ISP or at other locations, and thus can obtain information that 
the users wish to keep confidential, such as URLs of visited web sites, IP addresses of servers 
used, content (e.g., HTML pages or email) sent/received by the user, etc. 

[QOOg^Additional mechanisms are implemented by Internet-based systems that further 
jeopardize the freedom of users to communicate privately and securely with the Internet. For 
instance, companies that control employees 1 ! Internet usage sometimes implement firewall 
blocking or filtering to prevent access to particular web sites. Also, visited web sites often record 
IP addresses of clients (e.g., users) and collect other data to help identify clients during a 
profiling process. Further, web servers typically transmit -!!cookies-!! for storage in users-! 
terminals. Cookies are electronic files sent by the web server to the web browser to help 
identify the user and to prepare customized web pages when the user returns to the web site. In 
typical situations, web pages and histories of URLs accessed (e.g., a web browser history file) 
are stored at the user-!s terminals, thereby further compromising the privacy of the user. 



v 



[00 101 In short, there is a need to improve private and secure communications over networks 
such as the Internet. 

BRIEF DESCRIPTION OF THE DRAWINGS 

fOOl 1 1 N on-limiting and non-exhaustive embodiments of the present invention will be described 
in the following figures, wherein like reference numerals refer to like parts throughout the 
various views unless otherwise specified. 

Fjguf el"00121 FIG. 1 shows a system that can implement an embodiment of the invention. 

Ffgw e[00131 FIG 2 is a flowchart showing an embodiment of a method for secure 
communication that can be implemented by the system of Figur e FIG. 1 . 

Fjgur erOOHl FIG. 3 shows an embodiment of a browser window that can be displayed using the 
secure communication method of Fiewe FIG 2. 

Figwe |"00151 FIG 4 shows a system that can implement another embodiment of the invention. 

figttfe f00161 FIG. 5 is a flow chart showing an embodiment of a method for secure 
communication that can be implemented by the system of Figure FIG. 4. 

[00171 FIG. 6 is an embodiment of an algorithm to modify computer code that can be used for 
the systems of FIGS. 2 and 4. 

fOOl 81 FIG 7 is an embodiment of an algorithm to proxy cookies that can be use d for the 
systems of FIGS. 2 and 4. 

DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS 

FOQ l 91 Embodiments of a method and apparatus for secure communication to a network, such as 
the Internet, via a secure server are described in detail herein. In the following description, 
numerous specific details are provided, such as a description of various system components in 
Figure FIG. 1, to provide a thorough understanding of embodiments of the invention. One skilled 
in the relevant art will recognize, however, that the invention can be practiced without one or 
more of the specific details, or with other methods, components, etc. In other instances, well- 
known structures or operations are not shown or described in detail to avoid obscuring aspects of 
various embodiments of the invention. 

[0020] Reference throughout this specification to -"one embodiment 1 !! or -"an embodiment-!! 
means that a particular feature, structure, or characteristic described in connection with the 
embodiment is included in at least one embodiment of the present invention. Thus, the 
appearances of the phrases -!!in one embodiment-!! or -!!in an embodiment-!! in various places 
throughout this specification are not necessarily all referring to the same embodiment. 
Furthermore, the particular features, structures, or characteristics may be combined in any 
suitable manner in one or more embodiments. 
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r00211 Referring first to Figure FIG 1, shown generally at 10 is a system that can implement an 
embodiment of the invention. The system 10 can include a network 12, such as the Internet, but 
other types of communication networks may be utilized as well. For example, the network 12 
can comprise a local area network (LAN), virtual local area network (VLAN), asynchronous 
transfer mode (ATM) network, or other network or portion of a network. 

[00221 The system 10 includes one or more secure servers 14 communicatively coupled to one or 
more terminals 16 via one or more secure links 18. The server 14 can be coupled to other servers 
(not shown) in the network 12 that run web server software. The servers in the network 12 can 
provide a plurality §-of web sites 17 and 19 having HTML, extensible markup language (XML), 
extensible style language (XSL), etc. web pages. Typically, the web sites 17 and 19 (or other 
components coupled to the network 12) are identifiable by a numeric IP address and/or by a URL 
address. 

[00231 The web pages of the web sites 17 and 19 can be provided to 

components (e.g., to servers or terminals) communicatively coupled to the network 

12 using a protocol such as TCP/IP, HTTP, FTP, or other suitable protocol. In one embodiment, 

the server 14 can securely provide web pages to the terminal 16, in a manner that will be 

described in further detail below. 

[00241 The server 14 can include one or more processor units 30 to perform the various methods, 
processes, and algorithms described herein, using a compiler, for example. The processor unit 30 
can be communicatively coupled to one or more database units 32, in a manner such that 
information in the database unit 30 is accessible by the processor unit 30. The server 14 can also 
include a storage unit 34 to provide the server 14 with additional storage capacity for storing 
software and other data. The server 14 may further include a communication unit 36 to provide 
communication hardware, software, protocols, and other features and functions for 
communication between the server 14 and the terminal 16 (or between the server 14 and other 
components connected to the network 12). 

[00251 The storage unit 34 and database unit 30 can comprise machine-readable media. 
According to one embodiment, the storage unit 30 can store machine-readable instructions or 
software to perform the various functions described throughout this detailed description to 
provide secure communication with the terminal 16. The database unit 30 can store information 
specific to particular users or terminals 16, cooki e s, electronic files such as cookies , and other 
such data related to one or more communication sessions between terminals 1 6 and the secure 
server 14. 

[00261 The terminals 16 can comprise personal computers (PCs) to access the server 14. The 
terminals 16 each have a display unit 20 that allows users to view information sent to and from 
the server 14, using a suitable commercially available web browser such as Microsoft 1 ^ Internet 
Explorer ^.TM. or Netscape 1 ^ Navigator™. TM.. The terminal 1 6 can include an input/output 
unit 22, such as a keyboard and mouse. The terminal 16 may also include a processor 24, and a 
storage unit 26, which can be any type of machine-readable storage medium such as read only 
memory (ROM), random access memory (RAM), compact disks (CDs), digital versatile disks 



(DVDs), hard disk, magnetic tape, floppy disks, etc. The storage unit 26 can store the web 
browser, and can also include caches to store downloaded web pages and other information 
obtained during the course of communication with the network 12. 

r00271 Although the terminal 16 is described herein for illustrative purposes as a PC, it is to be 
appreciated that other types of terminals may be used. These include laptops, enhanced 
functionality wireless devices, handheld devices, television sets, workstations (e.g., dumb 
terminals) connected to a network, and other such devices that can communicate with the 
network 12. Accordingly, embodiments of the invention are not limited by the specific type of 
terminal used. 

I~00281 The terminal 16 can be a stand-alone unit, or it may be connected to other terminals 16 
forming part of a corporate LAN, for example. A typical corporate LAN communicates with the 
network 12 via a proxy server 38, operated by an information systems 40. In many cases, the 
informations information systems 40 and/or the proxy server 38 operate a firewall system 42 to 
control and monitor network traffic sent to and from the network 12. 

r00291 According to an embodiment of the invention, communication between the terminal 16 
and the network 12 is conducted on the secure link 1 8 that goes through the proxy server 38 and 
firewall system 42. In such an embodiment, the communication can pass freely through the 
proxy server 38 and firewall system in a secure and private manner, as will be described below. 

r00301 The secure link 18 can be and ISDN, Tl, xDSL, SONET, Ethernet, or other type of high- 
speed link. The secure link 1 8 may also be a telephone modem link. Twisted-^pair, coaxial cable, 
fiber optic, or other types of physical links/lines may be used. Wireless links, such as radio 
frequency, satellite, microwave, optical, etc. may be used as well. Accordingly, embodiments of 
the invention are not limited by the specific type of link used by the secure link 18. 

r003 1 1 Although a LAN-type configuration is shown in the embodiment of Figur eFIG 1, it is 
understood that other embodiments of the invention may be implemented in other ways. For 
example, in one embodiment, an ISP may take the place of the proxy server 38, information 
systems 40, and firewall system 42, where the terminal 16 is an individual unit located in the 
user-'s home. Other configurations, such as loop configurations, are possible for implementing 
embodiments of the invention, so long as the secure link 1 8 can be provided between the 
terminal 16 and the secure server 14. 

[00321 Shown next in Fieure FIG. 2 is a flowchart 46 depicting a method for secure 
communication that can be implemented by the system 10 of Fifflire HG 1 . A communication 
typically begins at a block 48, when the user launches a web browser in the terminal 16. Once 
the web browser is launched, the user may connect to the secure server 1 4 by entering a URL 
address of the secure server 14. 

[00331 The address entered by the user may include the conventional http:// prefix, followed by 
the URL address (e.g., domain name) of the secure server 14 (which may include the 
conventional "^www-^ designation). In one embodiment, the user may enter the prefix https://, 



followed by the URL address of the secure server 14, where https:// indicates a -"hypertext 
transfer protocol secure-" mode supported by software of the secure server 14. 

[00341 Once the user has entered the URL address of the secure server 14, the web browser 
initiates a communication with the secure server 14 (e.g., sends a request) at the block 50. It is 
noted that such a communication is typically transmitted through the firewall system 42 and 
proxy server 38. In response to the web browser request, the secure server 14 establishes the 
secure link 18 to the terminal 16. 

[0035] According to an embodiment of the invention, the secure link 1 8 may be established by 
the secure server 14 using secure server sockets layer (SSL) protocols and procedures, in a 
manner known in the art. Once the secure link 1 8 is established, data may be exchanged between 
the secure server 14 and the terminal 16 in an encrypted manner using RSA (with public and 
private keys) or other suitable encryption algorithms. 

[0036] T he user may establish the secure link 18 with the secure server 14 simply by entering 
https:// in one embodiment. In another embodiment, where the user enters http:// plus the URL 
address of the secure server 14, the secure link 18 may be established, for example, by 
subsequently clicking an -"Enter Secure Mode-" button on a web page provided by the secure 
server 14 in response to the initial web browser request/communication. 

("00371 Upon establishment of the secure link 1 8, a secure browser window may be displayed (at 
a block 52) on the display unit 20 of the terminal 16. An example of such a secure browser 
window is shown at 66 in figuf eFIG 3. The secure browser window 66, in one embodiment, 
may be a new browser window launched on the terminal 16 by the secure server 14. In another 
embodiment, the secure browser window 66 may be a modified and secure version of the 
browser window which was previously launched at the block 48, and which is subsequently 
modified/secured by the secure server 14. 

r 003 81 The secure browser window 66 can include a conventional menu/tool bar 68, an address 
field 70 to enter URL addresses of destination web sites, and scrolling controls 72 and 74. 
Additionally, the secure browser window 66 may include an icon 76 to assist the user in visually 
recognizing that the secure link 18 with the secure server 14 is active. 

I"00391 A display region of the secure browser window 66 can display a plurality of banner 
advertisements 78, 80, and 82, each provided with hypertext link(s). In some instances, one or 
more of the banner advertisements 78, 80, or 82 can be located in other regions of the secure 
browser window 66, such as next to the address field 70, and not just in the display region 
(sometimes referred to as a -"chrome-11). Specific tailoring (e.g., profiling) of these banner 
advertisements 78-82 with respect to the user is described later below. The display region can 
also display content 84 from web pages of w e bsites web sites 17 and 19 subsequently requested 
by the user. The displayed content of 84 can include one or more hypertext links 86-88. 

[00401 K is noted at this point that because the secure link 18 is active, the proxy server 38 and/or 
information systems 40 cannot determine the content displayed by the secure browser window 
66. While the proxy server 38 and/or information systems 40 may be able to detect that a 



communication is ongoing with the secure server 14 (e.g., by detecting the URL address of the 
secure server 14 that generated the secure browser window 66), all other content exchanged 
between the terminal 16 and secure server 14 is unintelligible data. That is, because the data is 
encrypted and because the proxy server 38 and/or information systems 40 do not have decryption 
algorithm (e.g., the private key), data sent to and from the secure browser window 66 is an 
incoherent data stream to them. 

|"00411 As an example at a block 54 in the flowchart 46 of FigttFe FIG. 2, the user may 
subsequently enter a URL address of a destination web site in the address field 70. To send the 
URL address of the web site to the secure server 14 according to one embodiment, the web 
browser can first concatenate the URL address of the destination web site to the currently active 
URL address of the secure server 14 (by separating them with a forward slash -"/-!!), encrypting 
the portion of the concatenated URL address that has the URL address of the destination web 
site, and then transmitting this data/request to the secure server 14. The information detected by 
the proxy server 38 and/or information systems 40, if any, may thus be just the URL address of 
the secure server 14, followed by unintelligible encrypted data. In this manner, it appears to the 
proxy server 38 and/or information systems 40 that all communication from the terminal 16 is 
directed to the secure server 14 and not to other URL or IP addresses. The proxy server 38 and/or 
information systems 40 cannot determine the activity at the secure server 1 4 directed towards 
transactions with the destination web site. 

r00421 Upon receipt of the request from the user"s web browser, the software in the secure 
server 14 decrypts the request to obtain the URL address of the destination web site. The secure 
server 14 then connects to the destination web site to obtain the appropriate web page, while 
performing additional encryption or URL rewriting to hide or delete the IP address of the 
terminal 16 that originated the request. As such, according to one embodiment, the destination 
web site cannot determine the IP address of the terminal 16 that originally requested the web 
page, due to the fact that the IP address of the secure server 14 appears as the source address to 
the web site. Therefore, IP addresses of users and their identity are kept protected from visited 
web sites. 

["00431 When the requested web page is received from the destination web site by the secure 
server 14, software in the secure server 14 performs various manipulative processes on the web 
page at a block 56. For example, software of the server 14 can perform URL rewriting of 
hypertext links in the web page, such that URL addresses of these hypertext links are 
concatenated with the URL address of the secure server 14, separated by a forward slash -"/"". 
These modifications prevent any further contact between the terminal 1 6 and web sites 
corresponding to the hypertext links, except via the secure server 14, if these hypertext links are 
subsequently clicked by the user, as described later with respect to a block 60 in the flowchart 
56. 

r0044] The software of the secure server 14 may also make modifications to the script and/or 
code of the web page, such as modifications to the HTML, JavaScript^ .TM. and Java ^.TM. 
code. This ensures that the user^s web browser never receives an instruction to contact a web 
site or server other than the secure server 14. For example, with prior art methods, the user^s 
web browser may receive a command to contact various other servers or web sites (e.g., third- 



party ad servers or web sites linked to the displayed web page via hypertext links), which results 
in the transmission of the IP address of the terminal 16 to these other servers or web sites. An 
embodiment of the invention rewrites such commands so that the user-'s web browser instead 
contacts the secure server 14, and asks it to retrieve the appropriate web page, file, etc., thereby 
protecting the IP address of the terminal 16 from the other servers or web sites. Other illustrative 
examples of computer code that can be re-written or modified bv an embodiment of the 
invention to accomplish this include, but are not limited to. CGI scripts. ActiveX, cookies. 
Server-Side Includes ( SSD. Visual Basic script or other dynamic HTML (DHTML) code or 
Turing Complete language. 

[00451 An example of an algorithm that can be used to rewrite computer code associated with the 
retrieved web page, in order to prevent the user's web browser from receiving an instruction to 
contact a web site or server other than the secure server 14, is shown generally at 1 18 in FIG. 6. 
For the sake of illustration, the embodiment of the algorithm 11 8 is described in the context of 
modifying DHTML code, such as JavaScript TM.. and it is to be appreciated that other types of 
code may be rewritten bv other embodiments of the invention or by variations of the algorithm 
118. The algorithm 1 1 8 may be embodied in whole or in part bv machine-readable instructions 
(such as code, software, and like) stored on a machine-readable storage medium (such as the 
storage unit 34) that is accessible to the secure server 14. 

r00461 According to an embodiment of the invention, the algorithm 1 1 8 identifies "dangerous" 
functions in the DHTML code that can result in access to an external resource (e.g.. a resource 
on a remote web server other than the secure server 14. such as URLs, web pages, image files. 
GIF files, audio files, streaming video files, and the likeV These dangerous functions can include 
function calls, conditional statements, loops, or other types of computer code. For example, in 
JavaScript.TM.. the function "getlmage" fetches an image at a remote URL address. An 
embodiment of the invention re places such dangerous functions with new functions, which are 
referred to herein a s "wrapper functions." 

r00471 Beginning at a block 120 in FIG 6. the algorithm 118 obtains the code, such as DHTML 
code, to be modified or "sanitized". This code may be obtained from a web server, the web sites 
17 or 19. or other location tha t provided the requested web page to the secure server 14. Next at a 
block 122. the algorithm 118 identifies the dangerous functions in the DHTML code that can 
potentially result in access to. or other communication with, external resources. At a block 1 24. 
the algorithm 118 replaces the dangerous functions in the code with new wrapper functions. 

[00481 Two embodiments of techniques are described next to define wrapper functions and to 
apply such wrapper functions to a dangerous function at the block 124. For th e sake of 
illustration, these techniq ues are described herein in the context of being applied to the command 
document.href="http://anvwebsite.com" in JavaScript.TM.. T his com mand is a dan gerous 
function because it instructs the user's web browser to load the contents of http://anvwebsite.com 
onto the browser page, and so such a function should be modified or "wrapped" appropriately. 

[00491 An embodiment of a first technique defines an entirely new wrapper function (e.g.. 
"safewebg etlma ge" from "getlmage"). These new wrapper functions append a prefix (e.g .. 
http://www.safeweb.com/. or other address information associated with the secure server 14. p lus 
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possibly other information) to the original address specified in the function, and then calls the 
original function. Thus, the JavaScript.TM. command identified above mav be rewritten as 
document.href=addPrefixr'http://anvw- ebsite.com" j where the prefix might be 
www.safeweb.com or other address of the secure server 14. In the DHTML code, the orig inal 
dangerous functions are swapped with these new wrapper functions. 

[00501 An embodiment of a second tec hniq ue alters the original function from, for instance. 
"getlma gefxY* to "getlmage(prefix+x) ft . where the prefix might be www.safeweb.com or other 
address associated with the secure server 14. Thus, the JavaScript.TM. command identified 
above mav be rewritten as document.href=prefix-i- M http://anvwebsite.com". 

At the block 56 J 00511 Returning now to the block 56 of FIG 2. the software of the secure server 
14 may also perform cookie control and management operations. For example, if users have 
specified that they do not wish to receive cookies or othe r such electronic files, then the secure 
server 14 can block or filter cookies transmitted from the web site along with the web page. 
Furthermore, if the user has agreed to some or no limitation on cookie exchange, then the secure 
server 14 may control the type and quantity of cookies that are eventually passed to the terminal 
16. Additional details of how the user can control cookies are described later below. 

[00521 After receiving the web page and performing the activities described above, the secure 
server 14 encrypts the web page and sends it to the web browser of the terminal 16, via the 
secure link 18, for display on the secure browser window 66. According to one embodiment, all 
of the content of the page may be encrypted, such that the proxy server 38 and/or information 
systems 40 only detects an unintelligible data stream. As mentioned previously, the URL address 
and other identifying information of the web page, including it-'s hypertext links, are 
concatenated with the URL address of the secure server 14 and then encrypted, such that it 
appears that the data is originating from the secure server 14. 

r00531 The encrypted information passes through the proxy server 38 and firewall system 42, 
and is received by the terminal 16. The information is decrypted and displayed on the secure 
browser window 66 at a block 58. Once displayed, the user can view the web page and continue 
surfing, and in effect, the user occupies a -private Internet.-" 

r00541 If the user clicks on a hypertext link on the displayed web page at the block 60, then the 
web browser is instructed to directly contact the secure server 14 for the web page, since the 
URL address associated with the hypertext link was rewritten at the block 56. The URL address 
of the clicked hypertext link, which is generally already concatenated with the URL address of 
the secure server 14 at this point, is encrypted and sent to the secure server 14 at the block 54. It 
is noted that if the URL address of the hypertext link is not concatenated already, if the user 
entered a new URL address in the address field 70, or if the user selected a URL address from a 
-"Favorites-^ menu, such URL addresses are concatenated with the URL address of the secure 
server 14, encrypted, and then the entire concatenated address is transmitted to the secure server 
14 via the secure link 1 8. 



r00551 If the user does not click a hypertext link at the block 60, then a determination is made at 
a block 62 whether the user is finished surfing/browsing. If the user is not finished, then the user 
may continue surfing at the block 58, and the process repeats as described above. 

r00561 If the user is finished surfing at the block 62, then cookies, browsing file histories, cached 
web pages, and other such information are deleted from the storage unit 26 of the terminal 16. 
The deletion at the block 64 may be accomplished any number of ways. For instance, upon 
notification of the end of transmission (e.g., at sign-off or log-out), the secure server 14 can 
transmit instructions to the terminal 16 that triggers software stored in the terminal 16 to delete 
the cookies, file history, etc. In one embodiment, the user can download cookie deletion 
software from the secure server 14, and use the software to delete cookies at the end of a session. 

r0057] Deletion of cookies or cookie control can be accomplished in several ways. In one 
embodiment, the user may set preferences and transmit the preferences to the secure server 14. 
The preferences can specify what cookies can be allowed to be passed on to the terminal 16 by 
the secure server 14, while undesirable cookies are not passed on by the secure server 14. 

r00581 In another embodiment, a digital identit y or pseudonym can be established for the user 
and maintained at the secure server 14. Cookies for that user may then be stored in the database 
unit 32 under the digital identity, and cookies are never actually transferred to the terminal 16. 

r00591 An embodiment of the inven tion provides cookies through a "proxy" or "proxies" cookies 
such that an original address or source of the cookies can be hidden, while s till allowing the 
cookies to perform their intended function. Such a p rox ying servic e can be provided via the 
secure server 14 or throueh some ot her privacy service. A cookie is typically a small electronic 
file that is exchanged between the remote servers and user's browsers. On a web browser a 
cookie is typically indexed bv the web server it came from, a p ath name ( indicating afije 
location on the web server), and a variable name. For example, a cookie from the NY Times 
might carry the web server address or domain name "nvtimes.com". the pathname 
► 7ianl4/sports/". and the variable name "username". The last is usually assigned a value, such as 

"username=Dennis". 

["00601 In an embodiment of the invention, when the secure server 14 proxies cookies through to 
the terminal 16. the web browser at the terminal 16 automatically indexes these cookies with the 
address of the secure server 14. since the web browser received the cookies directly from the 
secure server 14 (e.g.. not from the nv times.co m server). An embodiment of the invention allows 
these cookies to be subsequently requested by the remote web s ite (e. g.. the nvtimes.com web 
site, or other web sites 17 and 19 that originally transmitted the cookies) from the terminal 16. 
without breaki ng the cookie's usual functiona lity. That is . a user a t the terminal 16 can connect to 
the remote web site (via the secure server 14) with the u se of the s tored cook ies to assist in the 
connection. 

r0061] An example of an algorithm that can be used to proxy cookies is show n genera lly at 126 
in FIG. 7. The al gorithm 126 may be e mbodied in whole o r in part bv machine-r eadable 
instructions (such as code, software, and like) stored on a machine-readable stor age medium 
(such as the storage unit 34) that is accessible to the secure server 14. Beginning at a block 128 
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for a cookie that is being sent from the remote web site 17 or 19 for storage at the terminal 1 6. 
the algorithm 126 replaces the original domain name (e.g.. "nvtimes.com") of the remote web 
site 17 or 19 with a domain name of the secure server 14. Making this replacement allows the 
cookie to a ppear as i f it originated from the secure server 14 rather than from the remote web site 
17 or 19. 

("00621 The algorithm 126 also replaces the original path name (e.g.. 7janl4/sp o rts/") with a new 
pathname. In one embodiment, the new pathname is set to be a simple forward slash 7" so that 
whenever a cookie is subsequently requested from the terminal 16 bv any remote web site, all of 
the stored cookies are retrieved and sent to the secure server 14. The secure server 14. once it 
receives the cookies from the terminal 16, determines which cookie (s) is a ppropriate to forward 
to the web site that made the request. 

r00631 In an embodiment, the algorithm 126 at the block 128 can also add other identification 
(ID) information to the cookie, such as an anonymous ID number that correlates to each sp ecific 
remote web site 17 or 19. The web browser at the terminal 16. in turn, can index the cookie 
under the secure server 14 and under the ID numbers. Whenever the remote web site 17 or 19 
subsequently requests the cookie, the secure server 14 can do a database lookup, for example, to 
locate the ID number of that remote web site, and then req uest the cookie indexed under that ID 
number from the terminal 16. 



r00641 Next at a block 1 30. the algorithm 126 appends the original domain name of the web site 
(e.g.. "nvtimes.com") to the o riginal pathname (e.g.. 7ianl4/sports/"). and then appends both to 
the original variable name, so that a new variable name is obtained (e.g.. 
7nvtimes.com/ianl4/sports/usemame"). At a block 132. the new variable name is encrypted to 
"hide" the original domain name and pathname, and the cookie is subsequently forwarded to the 
terminal 1 6 for storage. 

r00651 If the cookie is subsequently requested bv the remote web site at a block 134. the cookie 
is located from the list of indexed cookies at the terminal 16 and is passed back through the 
secure server 14 on the way to the remote web site (e.g.. the nytimes.com server). At the secure 
server 14. the algorithm 126 extracts the original domain name and pathname off of the variable 
name, and determines whether the cookie should be sent on to the remote web site. In the 
embodiment where the forward slash 7" is indicated as the return pathname, the secure server 14 
may receive several cookies (e.g., all or at least multiple stored cookies) from the terminal 16. 
and thus looks at the variable name in each of these cookies to determine which of the cookies is 
the s pecific one being requested bv the remote web site. Additionally, if the web browser at the 
terminal 16 has added information to the cookie that identifies the terminal 15 as the source of 
the cookie (e.g.. has "stamp ed the cookie"), the algorithm 126 can replace or mod ify such 
information so that the secure server 14 appears as the source of the cookie to the remote web 
site that requested the cookie. 

["00661 It is noted that, in an embodiment, all of the information in a usual cookie is stored in the 
new variable name and can be recovere d bv the secure server 14. In some instanc es. JavaScript 
or other computer code has to access or set cookies. A set of wrapper functions analog ous to 
those used in DHTML rewriting described above with reference to FIG 6. can be defined that 
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can process the modified cookies, including modifications to indicate that the secure server 14 
(rather than the remote web site or the terminal 16) is the source of the cookies. 

[00671 It is noted that in the system 10 shown in Pkeef eFIG 1 and in other configurations, the 
proxy server 38 and/or information systems 40 may be able to detect the number and length of 
communications from the terminal 16 to the secure server 14, albeit not the content of such 
communications. As a result, the proxy server 38 and/or information systems 40 may be 
eventually programmed to -"block-!! communication to and from the URL/IP address of the 
secure server 14. In other settings, it may be possible for organizations, ISPs, government bodies, 
etc. to restrict access to the secure server 14 by blocking packets having source/destination 
addresses identifiable to the secure server 14. Accordingly, an embodiment of a system 90 is 
shown in Fi^ttfe HG 4 that provides the terminal 1 6 with multiple access points to the secure 
server 14, thereby bypassing blocking mechanisms. 

[0068] The system 90 includes one or more spoofing units 92 (e. g.. intermediate units) 
communicatively coupleable to the terminal 16. The spoofing unit 92 can comprise a server, a 
web site, a web page, or any other network component that has a static IP or URL address. The 
spoofing unit 92 can include/operate software to establish a secure connection 94 with the 
terminal 16 and a connection 96 (which can be secure) with the secure server 14, and can include 
software to pass browser requests from the terminal 16 to the secure server 14 via the 
connections 94-96. 

[00691 Such software may be distributed to operators of the spoofing unit 92 by owners of the 
secure server 14 free of charge (e.g., for example, if the operator of the spoofing unit is an 
advocate of -privacy-!! or "!!free speech-!!) or based on various business incentives (e.g., 
installation of the software in exchange for banner advertisement space on the secure browser 
window 66). 

Figure fOOTOI FIG. 5 shows a flowchart 98 depicting an embodiment of a method for secure 
communication that can be implemented by the system 90. In operation, the terminal 1 6 may 
indirectly access the secure server 14 when the user launches a web browser at a block 100 and 
enters https:// followed by the domain name (or URL) address of the spoofing unit 92. This 
results in a secure connection to the spoofing unit 92, at a block 102, using a suitable protocol, 
such as TCP/IP. The TCP/IP protocol can include -"handshaking-!! processes where SYN and 
ACK information is exchanged between the terminal 16 and the spoofing unit 92. Entering the 
https:// prefix allows the user to enter into a secure mode by establishing the secure connection 
94, thereby allowing the user to subsequently enter and transmit to the spoofing unit 92, a URL 
address of a destination web site at a block 104. 
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[00711 In one embodiment, the user may enter the URL address of the destination web site after 
a string comprising the https:// prefix and URL address of the spoofing unit 92. The URL address 
of the destination web site is subsequently concatenated with the previously entered (or 
automatically entered) string, and the portion of the resulting concatenated URL address having 
the URL address of destination web site is encrypted, in a manner similar to that described above 
with respect to Figur e s 1 - 2, In another e mbodiment, the URL address of the spoof i ng unit may 
also b e concat e nat e d with th e string and th e n encrypt e d. FIGS^L^L This way, the proxy server 38 
and/or information systems 40 detects only the URL or IP address of the spoofing unit 92, if 
anything, and not the address of the destination web site or of the secure server 14. 

r00721 Upon receipt of the web browser request, software in the spoofing unit 92 recognizes the 
request has being d e stin e d to was intended for the secure server 14. This may be done by 
decrypting the encrypted addresses and then reading the URL address of the secure server 14, or 
by other methods to detect that the request has to be forwarded to the secure server 14. For 
exam ple, in one embodiment, the spoofing unit 92 need not decrypt the encry pted add resses to 
obtain the address of the secure server 14, if the spoofing un it 92 alre ady has the address of the 
secure server 14. For instance, the address of the secure server 14 can be "hard-coded" into the 
software of the spoofing unit 92 and so does not need to be specified bv the user of the terminal 
16. The spoofing unit 92 forwards the request to the secure server 14 via the connection 96 at a 
block 106. It is noted that the spoofing unit 92 can also forward the SYN/ACK information or 
other data to assist the secure server 14 in maintaining and synchronizing subsequent 
communication with the terminal 16. At a block 108, the secure server 14 receives the request 
from the spoofing unit 92 and processes the SYN/ACK (and other) information to keep track gf 
and synchronize the order of packets. A person skilled in the art will know how to implement the 
SYN/ACK process TCP/IP protocol, or other suitable protocol . based on the description 
provided herein. 

[0073] After the secure server 14 receives the request and SYN/ACK r elevant protocol 
information (Tor example. SYN/ACK numbers) from the spoofing unit 92, it decrypts the data to 
obtain the URL address of the destination web site and obtains the requested web page therefrom 
at a block 110. Similar to the block 56 in the flowchart 46 of ft^w eFTG 2, the secure server 14 at 
the block 110 can perform URL rewriting. This may include rewriting the URL address of the 
requested web page (e.g., -llspoofing-11 its URL address) and its hypertext links to indicate the 
spoofing unit 92 as the source. Modification of script and code (e.g. T Java ^.TM. and 
JavaScript ^.TM.) of the web page, may also be performed to ensure that all subsequent requests 
by the web browser at the terminal 1 6 are sent to the spoofing unit 92 (and from there, 
subsequently sent to the secure server 14 V. such as described above with reference to FIG, 6. 

r00741 As with the block 56 of fiffare FlG 2, the secure server 14 may perform cookie control 
and other electronic file management at the block 110. After the processes described above are 
performed on the web page, the web page is encrypted and directly sent for display to the 
terminal 16, via the secure link 18, at a block 112. 

[0075] Since the return IP or URL address of all packets sent from the secure server 14 to the 
terminal 1 6 are -^spoofed-" so that they appear to come from the spoofing unit 92, it is virtually 
impossible for the proxy server 38 and/or information systems 40 to determine that the packets 
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came from the secure server 14 (and from addresses other then the address of the spoofing unit 
92). This can prove particularly useful if the user is viewing web pages of a controversial or 
controlled nature. The configuration of the system 90 of ftffa reHG 4 makes it appear to the 
proxy server 38 and/or information system 40 that the encrypted content viewed by the user, 
whatever it may be, is originating from an innocuous web site at the spoofing unit 92. 

[00761 A t a block 1 14 in ftgwe FIG. 5, the user may click on a hypertext link on the displayed 
web page or enter a URL address of another web site (e.g., continue to— Jlsurf 2 ^), thereby 
resulting in transmission of encrypted web browser requests to the spoofing unit 92, in a manner 
described above with respect to blocks 104-1 12. As before, web browser requests are sent to the 
spoofing unit 92 via the secure connection 94 (and forwarded to the secure server 14 via the 
connection 96), while retrieved web pages are sent directly to the terminal 1 6 from the secure 
server 14, without having to go through the spoofing unit 92. This is particularly advantageous 
because the bandwidth capacity of the spoofing unit 92 is not overwhelmed. That is, web 
browser requests take up significantly less bandwidth than web page content produced in 
response to such request. Hence, the spoofing unit 92 can easily accommodate multiple web 
browser requests, while the secure server 14 has the larger bandwidth to handle the content, via 
the secure link 18. 

[00771 If the user stops surfing at the block 114, then at log-out, cookies, file histories, cached 
web pages, etc. are deleted at a block 116. This may be done in a manner similar to the block 64 
offigufe£ia2. 

[00781 As mentioned, there may be more than one spoofing unit 92. Hence, if access to any one 
of the spoofing units 92 is blocked, access to the secure server 14 may be obtained from other 
spoofing units. According to one embodiment, users may be provided with hardcopy or online 
URL directories of spoofing units, such that they can identify and connect to any of these 
participating units. In another embodiment, the secure server 14 can perform hand-off and 
redirection of the user^s web browser to different spoofing units, such that the user-'s web 
browser can -"dynamically 21 !! connect or reconnect to different spoofing units, as directed by the 
secure server 14. The secure server 14 may also automatically and dynamically provide the 
user^s web browser with URL addresses of spoofing units (e.g., during a transmission of an 
encrypted web page), such that the user-!s web browser can automatically connect to such URL 
addresses for the next transaction(s). 

[00791 As mention ed, an embodiment of the spoofing unit 92. the terminal 16. or the secure 
server 14 can communicate with each other using TCP/IP techniques. With TCP/IP. a 
"connection 11 between units can be said to be "stateful" That is. there is typically a well-defined 
handshake that happens between the two units involved, after which thev both agree that a 
connection has been established. With a "non-statefiir connection, in comparison , one unit just 
sends a packet to the other unit with no acknowl ed gement or guarantee that the second unit has 
received the packet. 

r0080] According t o one embodiment of the invention, the spoofing unit 92 fo rwards TCP/IP 
packets it receives from the terminal 16 to the secure server 14. The packets can be "wrap ped 
with." or otherwise include, additional information (e.g.. a version number and the HkeV One 
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embodiment can forward user datagram protocol (UDP) packets from the terminal 16 to the 
spoofing unit 16, and it is to be appreciated that other types of packets can also be sent with 
another embodiment. In this embodiment, such as with UDP packets, no stateful connection is 
made between the terminal 16 and the spoofing unit 92. There is. however, a statefu l connection 
between the secure server 14 and the terminal 16 when packets are sent from the secure server 14 
to the terminal 16 via the secure link 18. Thus, the spoofing unit 92 can be somewhat analogous 
to an Internet packet router, which simply forwards packets on to their destination. The 
connection between t he spoofi ng unit 92 and the secure server 14 may or may not be stateful 
according to various embodiments. 

r00811 It is noted th at in one embodiment, the "packet forwarding" from the sp oofi ng unit 92 to 
the secure server 14 need not include the entire TCP/IP packet. Software in the spoofing unit 92 
(or in another location) can strip out certain information such as SYN/ACK numbers, the data in 
the message, and the like, and then send this information on to the secure server 14 using some 
other protocol. 

r00821 Another embodiment provides a stateful connection between the terminal 1 6 and the 
spoofing unit 92. In this embodiment, the stateful connection between the terminal 16 and the 
spoofin g unit 92 can be a TCP/IP connection, or an SSL connection. If it is an S SL connection, a 
key exchange can fir st occur between th e terminal 16 and the spoofin g unit 92. The connection 
between th e s poofing unit 92 and the secure server 14 in this embodiment may or may not be 
stateful. 

[00831 When a statef ul connect ion (such as a TCP/IP connection) is established between the 
s poofing unit 92 and the terminal 16. the spoofing unit 92 passes reauestfs) on to the secure 
server 14 only when such requests are made bv the terminal 16. The response by the secure 
server 14 to the requests is still made to look like the response came from the spoofing unit 92. 
but there i s no state ful connection between the secure server 14 and the terminal 16. It is noted 
that, with the exception of the embodiment where a full SSL connection is made between the 
spoofing unit 92 and the terminal 16. the data (e.g.. a request) is not decrypted bv spoofing unit 
92 in an embodiment. Rather, the spoofing unit 92 simp ly sends the request on to the secure 
server 14. which does the decrypting. Subsequently, the secure server 14 sends the req uested web 
pages (encrypted) to the terminal 16 via the secure link 18. with the terminal 16 having the 
private key to decrypt the web pages once they are received from the secure s erver 14. 

["00841 Various features and business models may be implemented by the embodiments described 
above and shown in the figures, to manage and customize a user-'s privacy. According to one 
embodiment, a user-'s privacy can be provided by the secure server 14 in exchange for placement 
of user-specific or general banner advertisements 78-82 on the secure server window 66 of 
Figur e HG 3. In such a case, user identity, user IP addresses, and user IP addresses, and user 
content (e.g., content delivered or accessed) may be kept private in exchange for placement of 
banner advertisements. 

[0085] In another embodiment, components that are less important to users and most important 
to advertisers, web sites, or employers can be sold by the organization operating the secure server 
14, with the user-'s permission. These components include: 
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[00861 time spent online, bandwidth used (e.g., provided to employers); 



[00871 web surfing patterns of the user and correlations (e.g., provided to advertisers, web sites, 
and vendors); or 

[00881 p ersonal preferences and interest of the user (e.g., provided to advertisers, web sites, and 
vendors). 

[0089] A n example includes cookie control. Based on the preferences and instructions of the 
user, the user may control the type and quantity of cookies delivered to or filtered from the 
user-'s web browser by the secure server 14. In one embodiment, the user may be able to 
designate cookies for storage under a pseudonym, directly on the secure server 14, thereby 
adding another layer of privacy. Because cookies are often used to build profiles of the user (by 
web sites or advertisers), controlling cookie exchange with destination web sites allows the user 
to manage the amount of privacy provided by the secure server 14. 

f 00901 According to one embodiment, a user may allow operators of the secure server 14 to 
collect specified data related to the web browsing habits of the user, and then sell such 
information to advertisers, in exchange for protecting the user's privacy at all times. In this 
embodiment, such information may be sold to the advertisers with the permission of the user, and 
includes information that the user is generally not sensitive about. 

[00911 In conclusion then, embodiments of the invention provide a secure server 14. Users at 
terminals 16 can obtain information from web sites in the network 12 through the secure link 18, 
in encrypted form, thereby protecting their privacy and security. Such information appears as if 
it comes from the secure server 14 rather than specific web sites. Spoofing units 92 may be used 
as alternative access points to the secure server 14, with the secure server 14 sending requested 
information directly to the terminal 16. In general, URL rewriting and other manipulation can be 
performed such that the true source of the information is disguised and such that subsequent 
communication from the terminal 16 is directed to the secure server 14 and/or spoofing unit 92, 
rather than to the true source of the information (e.g., the web site). Components of the user^s 
privacy may be sold as specified by the user, and advertisements may be displayed in exchange 
for protection of the user-'s identity. 

r00921 The above description of illustrated embodiments of the invention is not intended to be 
exhaustive or to limit the invention to the precise forms disclosed. While specific embodiments 
of, and examples for, the invention are described herein for illustrative purposes, various 
equivalent modifications are possible within the scope of the invention, as those skilled in the 
relevant art will recognize. 

[00931 These modifications can be made to the invention in light of the above detailed 
description. The terms used in the following claims should not be construed to limit the 
invention to the specific embodiments disclosed in the specification and the claims. Rather, the 
scope of the invention is to be determined entirely by the following claims, which are to be 
construed in accordance with established doctrines of claim interpretation. 
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CLAIMS 



Claims 

What is claimed is: 

-h A m e thod, comprising: 

1 . A metho d, comprising: responsive to a request, retrieving a web page designated in the 
request; modifying an address associated with the retrieved web page to indicate an address 
associated with a secure server that retrieved the web page; and encrypting data associated with 
the retrieved web page and sending, via a secure link, the encrypted data to a terminal that sent 
the request. 

£ Th e m e thod of claim 1 wh e r e in the secure link compris e s a secur e sock e ts layer 

(SSL) link. 

3i The m e thod of claim 1 wh e rein modifying the address associat e d with tho 

retrieved web page comprises modifying a Uniform Resourc e Locator (URL) or Int e rnet 
Protocol (IP) addr e ss of a sourc e w e b sit e that originated th e w e b page. 

4z Th e method of claim 1 wh e r e in modifying th e addr e ss associat e d with th e 

r e triev e d w e b page compris e s modifying an address associat e d with a hypertext link in th e 
retrieved w e b page to indicate the address associat e d with th e secure server. 

&r2. The method of claim 1 , further comprising modifying computer code associated with the 
retrieved web page to cause subsequent requests related to the retrieved web page to be sent to 
the secure server instead of to a source web site that originated the web page. 

%r. 

3. The method of claim 1, furth e r comprising d e crypting th e addr e ss associat e d with th e w e b 
page f ro m a n addre ss re c eiv e d along with th e request from th e t e rminal, th e address recei ved 
along with the request from the terminal comprising a concatenation of the address a s sociated 
with the w e b pag e and th e 2 wherein the computer code is associated with a Turing complete 
language. 

4. The method of claim 2 wherein the co m puter code comprises a dynamic hypertext markup 
language (DHTML) code. 

5. The method of claim 2 wherein modifying computer code associated with the retrieved web 
nage includes: obtaining the code to be modified: identifying an original function in the code to 
access a resource address different from an address associated with the secure server? 
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3-. The method of claim 1, furth e r comprising r e p e ating th e r e tri e ving, modifying, 

encrypting, and s e nding whil e the s e cure link is active, : and replacing the original function in 
the code with a new function to access the address associated with the secure server. 

6. The method of claim 5 wherein replacing the original function in the code with the new 
function includes: defining the new function bv appending a prefix, having the address 
associated with the secure server, to the resource address: and calling the original function. 

7. The method of claim 5 wherein replacing the original function in the code with the new 
function comprises altering the original function to include the address associated with the secure 
server in addition to the resou rce address. 

Sr-JLThe method of claim 1, further comprising trigg e ring a d e letion of stored e l e ctronic files at 
the terminal related to a communication via the secure link, in response to termination of the 
communication / using a proxy technique to indicate the address associated with the secu re server 
as a source of an electronic file that is sent from a web site to the terminal for storage. 

ft Th e m e thod of claim 1, further comprising, at the s e cur e s e rver, controlling 

transmission of e l e ctronic fil e s to the terminal based on pr e f e renc e s receiv e d from th e t e rminal. 

4ft 

9. The method of claim 8 wherein the proxy technique includes: replacing an original address 
associated with the web site that is present in the electronic file with the address associated with 
the secure server: appending the address associated with the web site to an original p at hname: 
obtaining a new variable name by appending the appended address and original pathname to an 
original variable name: forwarding the electronic file having the new variable name from the 
secure server to the terminal: and if the stored electronic file is subsequently requested by the 
web site, retrieving the stored electronic file from the terminal via the secure server and 
extracting the address associated with the web site and the original path name from the new 
variable name in the retrieved electronic file. 

10. The method of claim 1 , further com p r i sing : 

of claim 9. further comprising replacing the orig inal pathname with a new 

pathname. 

11. The method of claim 9. further comprising encrypting at least the new variable name in the 
electronic file. 

12. The method of claim 9. further comprising rewriting computer code to process the electronic 
files having the new variable names. 

13. The method of claim 1. further com prising: providing an intermediate unit to receive the 
request from the terminal; 
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at th e s e cure server, at the secure server, receiving the request-^forwarded from 
the intermediate unit; 

r e tri e ving th e w e b retrieving the web p age designated in the request from a 

source; 

modifying address information in the retrieved web page to indicate a source 
address corresponding to an address of the intermediate unit rather than to an address of the 
source that provided the web page; and 

directly sending an encrypted version of the retrieved web page from the secure 
s e rver to th e t e rminal, via the secure link. 

44^ Th e m e thod of claim 10, furth e r comprising r e c e iving, at the secure server, 

communication protocol information r e lat e d to a communication betwe e n the terminal and th e 
interm e diate unit, to allow the secure s e rver to respond to requests sent sever to the terminal, via 
the secure link. 

14. The method of claim 13 wherein a connection between the secure server and the terminal via 
the secure link comprises a stateful connection, and wherein a connection between the terminal 
and the intermediate unit comprises a non-stateful connection. 

15. The method of claim 13 wherein a connection between the secure server and the terniinaLyja 
the secure link comprises a non-stateful connection, and wherein a connection between the 
tenninal and the intermediate unit comprises a stateful connection. 

16. The method of claim 14 wherein the stateful connection comprises a Transmission Control 
Protocol/Internet Protocol (TCP/IP) connection. 

17. The method of claim 14. further comp rising stripping at least some data from the request 
prior to forwarding the request to the secure server from the intermediate unit from th e t e rminal. 

45: Th e m e thod of claim 10, furth e r comprising rec e iving subs e qu e nt requ e sts from 

th e t e rminal at the int e rmediate unit rather than dir e ctly at th e secur e s e rver from the t e rminal. 

4^ The method of claim 1, further comprising storing under a pseudonym at a 

location communicatively c o u pl ed to the secure server, electronic files sent from a web site along 
with the web page. 

44t Th e m e thod of claim 1 , further comprising: 

obtaining information related to a user's communi c ation with the s e cure server; 
providing the obtain e d information to an e ntity bas e d on p e rmission of the user 
and in e xchang e for providing th e s e cure link; and 
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providing adv e rtis e m e nts from tho entity to th e us e r r e lat e d to tho obtain e d 

information. 

±5-. Th e m e thod of claim 1 , further comprising: 

providing a vi e wing window at th e t e rminal; 

displaying the retrieved web page at the viewing window; and 

providing an interface for subsequent communication with the secure s e rver from 
the viewing window. 

4-§r A method, comprising: 

providing an int e rm e diat e unit to r e c e iv e a requ e st for a web pag e from a 

terminal; 

at a s e cur e s e rver, receiving the r e quest, forwarded from th e int e rm e diat e unit; 
r e tri e ving th e web pag e via the stateful connection. 

18. A method, comprising: providing an intermediate unit to receive a request for a web page 
from a terminal: at a secure s erver, receiving the request, forwarded from the intermediate unit: 
retrieving the web page designated in the request from a source; 

from a source: modifying address information in the retrieved web page to 

indicate a source address corresponding to an address associated with the intermediate unit rather 

than to an addr e ss associat e d with a source that provided the web pag e information in the 

retrieved web page to indicate a source address corresponding to an address associated with the 

intermediate unit rather than to an address associated with a source that provided the web page ; 

and 

dir e ctly directly sending an encrypted version of th e r e tri e v e d w e b page from the 
s e cure s e rv e r to the t e rminal, via a s e cure link. 

¥k The method of claim 16, further comprising receiving, at the secure server, 

communication protocol information related to a communication between the terminal and the 
intermediate unit, to allo w th e secure server to r e spond to requests sent to the intermediat e unit 
fr om t h e t e rm i nal. 

Th e m e thod of claim 16 furth e r comprising rec e iving subs e qu e nt requ e sts from 

the t e rminal at the int e rm e diat e unit rath e r than dir e ctly at th e secur e s e rv e r from the terminal. 
¥k Th e m e thod of claim 16, furth e r comprising: 
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r e c e iving from th e intermediat e unit and at the s e cur e s e rv e r, e ncrypted address 
information associated with the wob pag e , concat e nated with th e addr e ss associat e d with the 
int e rm e diat e unit; 

d e crypting the encrypted — addr e ss information and r e tri e ving a web — page 
corresponding thereto; and 

ro encrypting — the — addr e ss — associated — with — the — retrieved — web — page — md 
concatenating th e r e- encrypted address with the address associated with the int e rm e diate unit, 

A machin e- readabl e m e dium having stored ther e on instructions, which when 

e x e cut e d by a proc e ssor, caus e th e proc e ssor to e ffect the following: 

r e sponsiv e to a r e qu e st, r e tri e ve a w e b pag e d e signated in the r e qu e st; 

modify an address associated with the retrieved web page to indicat e an address 
associated with a secur e s e rv e r that r e trieved the web page; and 

encrypt data associated with the retrieved web page and send, via a secure link, 
the encrypted data to a terminal that sent the request. 

3A- Th e machine r e adable medium of claim 20 wh e rein the instructions cause the 

processor to e ffect the following: 

s e nd th e e ncrypt e d data via the secur e link by s e nding th e e ncrypt e d data via a 
s e cur e dock e ts lay e r (SSL) link. 

23r. Th e machin e r e adabl e m e dium of claim 20 wh e r e in th e instructions caus e th e 

processor to effect the following: 

modify the address associated with the retrieved wob page by modifying a 
Uniform Resource Locator (URL) or Internet Protocol (IP) address of a source web site that 
ori g inate d th e w e b pag e . 

3& The mach in e r ea d abl e medium of claim 20 wherein th e i ns t ructions cause the 

proc e ssor to eff e ct th e following: 

r e c e iv e th e r e qu e st from the terminal forward e d from an int e rmediate unit; 

r e triev e th e w e b pag e d e signat e d in the request from a sourc e ; 

modify address information in the r e trieved web page to indicate a source address 
corre s ponding to an address associated with the intermediate unit rather than to an address 
associated wi t h the source that provided the web page; and 
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dir e ctly s e nd an encrypt e d v e rsion of th e r e tri e ved web pag e from tho secure 
s e rv e r to the terminal, via th e sourc e link. 

24-. A machine r e adabl e m e dium having stor e d th e r e on instructions, which when 

execut e d by a processor caus e th e processor to e ff e ct th e following: 

receive a request for a web page from a terminal; and of the retrieved web page 
from the secure server to the terminal, via a secure link, 

19. The method of claim 18 wherein a connection between the secure server and the terminal via 
the secure link comprises a st ateful co nnection. 

20. The method of claim 19 wherein the stateful connection comprises a Transmission Control 
Protocol/Internet Protocol (TCP/IP) connection. 

21. The method of claim 19 wherein a connection between the terminal and the intermediate unit 
comprises a non-stateful connection. 

22. The m ethod of claim 21 further comprising stripping at least some data from the request prior 
to forwarding the request to the secure server from the intermediate unit via the stateful 
connection. 

23. The m ethod of claim 19 wherein a connection between the terminal and the intermediate unit 
comprises a stateful connection. 

24. The m ethod of claim 23 wherein a connection between the terminal and the secure server 
comprises a non-stateful conn ection. 

25. The method of claim 23 wherein the stateful connection between the terminal and the 
intermediate unit comprises a secure connection. 

26. The method of claim 23 wherein the intermediate unit decrypts at least a portion of the 
request that is received from the terminal via the secure connection and that is to be forwarded to 
the secure server. 

27. An article of manufacture, comprising a machine-readable medium having st ored thereon 
instructions to: receive a request for a web page from a terminal: and forward the request from 
the terminal to a secure server to allow the secure server to retrieve the web page designated in 
the request from a source and to allow the secure server to directly send an encrypted version of 
the retrieved web page from the secure server to the terminal, via a secure link. 

2$-. The 28. The article of manufacture of claim 27 w herein the machine-readable medium ef 

claim 24 wher e in the instructions furth e r cause th e proc e ssor to eff e ct th e following: further 
includes instructions stored thereon to establish a stateful connection with the terminal. 
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s e nd to th e s e cur e server communication protocol information r e lated to a 
communication with the terminal, to allow the secure s e rv e r to respond to r e qu e sts sent from the 
terminal. 

2&. : Fhe 29. The article of manufacture of claim 27 wherein the machine-readable medium ef 

claim 24 wherein the instructions further cause the processor to effect the following: further 
includes instructions stored thereon to strip at least some of t he inform ation in the request that is 
received from the terminal and that is to be forwarded to t he secure server. 

receive subs e quent r e qu e sts from directly th e terminal rather than dir e ctly at th e 

s e cur e s e rv e r. 

¥h Th e machin e readabl e medium of claim 2 4 wh e r e in the instructions furth e r caus e 

the processor to effect the following: 

r e c ei ve an encrypt ed address c onc a ten ated with other address information via a 
secur e connection; 

d e crypt the encrypted address and retrieve an address associat e d with th e s e cur e 
s e rv e r or the addr e ss associat e d with th e w e b pag e th e r e from; and 

s e nd th e r e quest to th e d e crypt e d addr e ss. 
2$-. An apparatus, comprising: 

a proc e ssor coupl e d to a storag e unit, th e storag e unit b e ing capabl e of storing a 
com p u t er progr a m; and 

a communication unit to allow 7 the processor to communicate with a terminal and 
with a w e b site, wherein, responsive to a request from the termina l, t he pro cessor is capable of 
effecting execution of th e computer program to r e trieve a r e quested wob page from the web site 
via th e communication unit, to modify an addr e ss of the r e tri e v e d w e b page to a different 
addr e ss, to e ncrypt data associated with th e r e tri e v e d web pag e , and to s e nd th e e ncrypted data to 
th e terminal via a s e cur e link communicativ e ly coupl e able to the communication unit. 

29^30, The apparatus article of manufacture of claim 28 wh e rein t h e s e cure link comprises a 
secure sockets layer (SSL) link. 27 wherein a co nnection between the secure s erver and the 
terminal c omprises a stateful connection. 

3©: Th e apparatus of claim 28 ; furth e r comprising a databas e unit communicatively 

coupled to the processor to store electronic files under a pseudonym, the electronic f i les 

co r res p onding to data sent from the wob site along with the retrieved web page. 

34. — An apparatus, comprising: 
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31. An apparatus, co m prising: a server communicatively coupleable to a network and to a 
terminal, the server being capable of sending data from the network to the terminal in an 
encrypted form via a secure link, in response to a request received from the terminal, wherein the 
data sent to the terminal indicates the server as a source of the data. 

Si T he apparatus of claim 31 wh o roin th e s e cur e link comprises a secur e sockets 

lay e r (SSL) link. 

3^- 32. The apparatus of claim 3 1 wherein the server is communicatively coupleable to an 
int e rm e diate unit, the serv e r being capable of receiving the r e qu e st from th e terminal via th e 
interm e diat e unit and sending th e data r e sponsiv e to th e r e quest dir e ctly to the terminal via th e 
secure link capable to use a cookie proxy technique to indicate the address associated with the 
server as a source of a cookie that is sent from the network to the terminal for storage . 
34; A system, comprising: 

33. A s ystem, comprising: a server communicatively coupleable to a network and to a terminal, 
the server being capable of sending data from the network to the terminal in an encrypted form 
via a secure link, in response to a request received from the ^terminal, wherein the data sent to 
the terminal indicates the server as a source of the data; and an intermediate unit 
communicatively coupleable to the server, the server being capable of receiving the request from 
the terminal via the intermediate unit and sending the data responsive to the request directly to 
the terminal via the secure link. 

The system of claim 3 4 wherein the secure link comprises a secure sockets layer 

(SSL) link. 

34^ 34. The system of claim 3433 wherein the intermediate unit is capable of receiving 
subsequent requests from the terminal and sending the request to the server, the server being 
capable of receiving the requests from the intermediate unit and sending data responsive to the 
request directly to the terminal, the data sent to the terminal indicating a source address 
corresponding to the intermediate unit rather than an address corresponding to the server. 

A BST RA CT OFTH E4)lSCL O SWE 

35. The system of claim 34 wherein a connection between the termi nal and the interm ediate unit 
comprises a non-stateful connection, and wherein a connection between the terminal and the 
secure server comprises a stateful connection. 

36. The sy stem of claim 34 wherein a connection between the terminal and the intermediate unit 
comprises a stateful connection, and wherein a connection between the terminal and the secure 
server comprises a non-stateful connection. 

37. The system of claim 35 wherein the stateful connection between the terminal and the secure 
server comprises a Transmission Control Protocol/Internet Protocol (TCP/IP') connection. 
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Abstract 

An embodiment of the invention includes a secure server. A user at a terminal, communicatively 
coupled to the secure server by a secure link, can obtain web pages from web sites in a network, 
in encrypted form, via the secure link. Addresses associated with the web pages are altered to 
make it appear as if the web pages come from the secure server rather than from the web sites. 
Spoofing units may be used as alternative access points to the secure server, with the secure 
server sending the requested web pages directly to the terminal. In general, address rewriting 
and other manipulation can be performed on the requested web pages, such that the true sources 
of the web pages are disguised and such that subsequent communications from the terminal are 
directed to the secure server and/or spoofing unit, rather than to the true source of the web pages. 
Components of the user-'s privacy may be sold, or advertisements may be provided, in exchange 
for protection of the user's identity. 



-25- 



Document comparison done by DeltaView on Tuesday, April 19, 2005 6:05:55 PM 







Document 1 


PowerDocs://EAST/7327497/1 


Document 2 


PowerDocs://EAST/7387604/1 


Rendering set 


standardd 



Insertion 



D e l e tion 



Moved from 



Moved to 



Style change 



Format change 



Moved deletion 



Inserted cell 



Deleted cell 



Moved cell 



Split/Merged eel 



Padding cell 







Count 


Insertions 


283 


Deletions 


217 


Moved from 


2 


Moved to 


2 


Style change 


0 


Format changed 


0 


Total changes 


504 



7388360 v1 



Q 

X 

Q 
Z 
LU 
D_ 
CL 
< 



^1- 

o 
o 

cT 
o % 

§ 8 

as « 
o Q 

e o 

O \P 

\£ O 
cd 

O ^ 

So 



Oh 




CO 

5 o 

<4-H O 



- ^ oo 



^ OS 




O 

o 



.2 ^ 

> CO 

a> Oh 

« -rl 

3. 



0> 



on 

o 



CO 

3 o 
a o 

o © S 
Q 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 



Defective images within this document are accurate representations of the original 
"documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□yTMAGE CUT OFF AT TOP, BOTTOM OR SIDES 



LI FADED TEXT OR DRAWING 

□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 



O LINES CM MARKS OW OWGWAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: ' 



IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 





